DraftKings Hacker Facing Fed Charges, Allegedly Stole $600K from Gaming Company

Posted on: May 18, 2023, 04:10h. 

Last updated on: May 19, 2023, 01:16h.

A Wisconsin teenager faces federal criminal charges for working with other cyber thieves to sell access to DraftKings betting accounts. The group allegedly drained $600k from approximately 1,600 of those accounts.

Garrison DraftKings
A mug shot of Joseph Garrison, seen above. He allegedly led an effort to steal $600K from DraftKings accounts. (Image: Dane County Sheriff’s Office)

Madison resident Joseph Garrison, 18, is facing six criminal counts. He surrendered himself Thursday to the FBI in New York and was scheduled to appear before US Magistrate Judge James Cott this afternoon. DraftKings wasn’t named in a press statement published by the United States Attorney for the Southern District of New York. But the gaming company confirmed it was the target of a credential-stuffing attack last November.

In credential-stuffing attacks, perpetrators steal account identifiers and/or email and password pairings and later sell that data on the dark web. It’s estimated Garrison and his cohorts successfully accessed 60K DraftKings client accounts.

“In some instances, the individuals who unlawfully accessed the Victim Accounts were able to add a new payment method on the account, deposit $5 into that account through the new payment method to verify that method, and then withdraw all the existing funds in the Victim Account through the new payment method (i.e., to a newly added financial account belonging to the hacker), thus stealing the funds in the Victim Account,” according to the statement.

A February search of Garrison’s home revealed evidence of computer programs used for this form of cybercrime.

 DraftKings Hack Larger than Feared

In confirming the cyber-breach last November, DraftKings initially said that the hack affected less than $300K in client funds.

In a December 2022 filing with the Maine Attorney General’s office, the sportsbook operator said the attack impacted 68K accounts. Immediately following the attack, the Boston-based company told customers highly sensitive data, such as a bank account, driver’s license, and Social Security numbers, weren’t accessed.

DraftKings added the cybercriminals likely accessed clients’ names, addresses, phone numbers, and email addresses, along with the last four digits of their payment cards, their account activity, and the date of their last password change.

Garrison is charged with “conspiracy to commit computer intrusions, which carries a maximum sentence of five years in prison; unauthorized access to a protected computer to further intended fraud, which carries a maximum sentence of five years in prison, unauthorized access to a protected computer, which carries a maximum sentence of five years in prison, wire fraud conspiracy, which carries a maximum sentence of 20 years in prison, wire fraud, which carries a maximum sentence of 20 years in prison, and aggravated identity theft, which carries a mandatory minimum sentence of two years in prison,” according to the statement.

For Garrison, Fraud Was ‘Fun’

In the February search of Garrison’s residence, law enforcement officers also seized his cell phone, which contained details of his interactions with his band of cyber actors and indications that he enjoyed perpetrating the fraud and subsequent financial spoils.

Fraud is fun . . . im addicted to see money in my account . . . im like obsessed with bypassing (expletive),” he wrote in a text.

Assistant U.S. Attorneys Kevin Mead and Micah Fergenson will lead the prosecution under the US Attorney’s Complex Frauds and Cybercrime Unit.