DraftKings Hacker Pleads Guilty to Stealing $600K from Customer Accounts

Posted on: November 16, 2023, 02:54h. 

Last updated on: November 17, 2023, 09:52h.

A Madison, Wisconsin teenager pled guilty Wednesday to conspiracy to commit computer intrusion. The plea came in relation to the theft of more than $600K from around 1,600 DraftKings accounts.

Joseph Garrison, hacker, DraftKings,
Joseph Garrison, above, made more than $2.1 million from fraud by the time he was 18. He also had a habit of making bomb threats to his high school, according to prosecutors. (Image: Dane County Sheriff’s Office)

Joseph Garrison, 18, who once bragged to a coconspirator that “fraud is fun,” faces up to five years in a federal prison.

On Nov. 18, 2022, the teenager, with others, launched a credential-stuffing attack on the DraftKings sportsbook, according to prosecutors. This is where a cybercriminal uses log-in credentials that have typically been stolen during large-scale corporate data breaches and purchased on the Dark Web.

The hacker then uses the stolen credentials to gain access to accounts where the user has the same password.

Once in, Garrison and his accomplices were able to add a new payment method to the account, deposit $5 to verify that method, and then withdraw all the existing funds, court documents claim.

‘Addicted’ to Fraud

The attack, which was reported by Casino.org at the time, caused DraftKings’ shares to fall 5% on the Nasdaq. Investors feared a drop-off in consumer confidence in the mobile sportsbook, which had recently launched in many new U.S. state markets.

When the FBI raided Garrison’s home in February 2023, they found credential-stuffing software, which had been used to target dozens of different corporate websites. Agents also found files containing nearly 40 million pairs of usernames and passwords on the suspect’s computer.

Meanwhile, conversations extracted from Garrison’s phone included discussions on how to hack and exploit the DraftKings website, prosecutors said.

“Fraud is fun,” Garrison wrote to a coconspirator, according to court documents. “I’m addicted to seeing money in my account. I’m like obsessed with bypassing shit.”

$15K Per Day

During the investigation in Wisconsin, it was discovered Garrison allegedly had made more than $2.1 million from cyberfraud by the time he was 18. Between 2018 and 2021, his activities were making him $15k a day.

This isn’t Garrison’s first brush with the law. Just months before the DraftKings attack, he was charged with five counts of making a bomb threat, three counts of making terrorist threats, and one count of attempted bomb threat.

These related to Garrison’s habit of hiring third parties over the internet to dial in threats to his school, Memorial High School in Madison, prosecutors said. He did this on five occasions because he was “bored and wanted to go home,” according to court documents.