DraftKings Hacker Pleads Guilty to $600K Theft

Joseph Garrison, an 18-year-old from Madison, Wisconsin, has pled guilty to charges relating to a $600,000 hacking attack on leading U.S. online sportsbook DraftKings.

On Wednesday, the teenager appeared before a court in New York, where he pled guilty to conspiracy to commit computer intrusion. Sentencing on that charge could see him spend up to five years in prison.

Garrison was charged in May for his involvement in a sophisticated cybercrime operation that successfully infiltrated approximately 60,000 accounts across various sports betting websites, including DraftKings.

Garrison, along with his accomplices, utilized a technique known as credential stuffing to access and exploit these accounts, leading to the theft of around $600,000 from more than 1,600 victims.

“Joseph Garrison and his co-conspirators launched an online cyberattack, stealing approximately $600,000 from innocent victims’ accounts,” said a press release from Damian Williams, the United States Attorney for the Southern District of New York.

“Garrison now stands convicted of a federal crime for targeting the accounts of victims making legitimate online wagers.”

“Fraud is Fun”

Garrison’s method involved the use of stolen login credentials, often sourced from large-scale corporate data breaches and available for purchase on the Dark Web.

These credentials were then used to access accounts on other platforms where users had reused the same password. Once inside an account, the hackers would add a new payment method, deposit a small amount to verify it, and then withdraw all available funds.

This cyberattack had significant repercussions for the Boston-based sports betting operator.

It not only cost customers $600,000 in funds, but also led to a temporary 5% dip in DraftKings’ shares, as investors reeled at the news.

The Federal Bureau of Investigation’s search of Garrison’s residence revealed evidence of extensive planning and execution, including credential-stuffing software, files containing millions of username and password pairs, and conversations about hacking techniques.

This hacking spree was not Garrison’s first encounter with the law. Prior to this incident, he had been charged with multiple counts of making bomb threats and terrorist threats, often against his Wisconsin high school.

This pattern of behavior suggested a deeper issue beyond mere financial gain.

Investigators found text messages from Garrison to an acquaintance, in which he expressed the excitement he got from bypassing security measures and amassing fraudulent gains.

“Fraud is fun . . . im addicted to seeing money in my account . . . im like obsessed,” the messages said.

Cybercrime a Constant Threat for Operators

Garrison’s case arrives amid growing concerns about cyber threats in the booming U.S. gambling sector.

Earlier this year, leading U.S. gambling operator MGM Resorts International, experienced a significant cyberattack that seriously disrupted operations at its famous Nevada casinos in Las Vegas, and its other casino resorts across the country.

The 10-day service outages resulted in insured losses of approximately $100 million for the operator.

Shortly after that incident, reports broke that rival Las Vegas operator Caesars Entertainment had also suffered a cyberattack weeks earlier. It paid up the hackers’ ransom demands to avoid disruption.

Both operators are currently facing lawsuits from guests who were inconvenienced or saw data stolen as a result of the attacks.

Even U.S-facing offshore casinos are also targets. Earlier in 2023, leading cryptocurrency casino Stake.com was the victim of a cyberattack in which hackers got away with $41 million in various cryptocurrencies.

The FBI later said it was likely North Korean state-sponsored hacking group Lazarus was the perpetrator.

Legal Repercussions and Industry Response

Fortunately for DraftKings in this case, the perpetrator has been booked.

As part of Garrison’s guilty plea, he agreed to forfeit more than $175,000, which represented the proceeds of his criminal activities.

Additionally, he consented to pay $1.33 million in restitution. Garrison, who was on a $100,000 bond since his arrest, faces a potential maximum prison sentence of five years. Sentencing guidelines suggest two years to 30 months.

“The safety and security of our customers’ account information is of paramount importance to DraftKings. We want to thank the Department of Justice, including the FBI and U.S. Attorney’s office for the Southern District of New York, for their prompt and effective action,” said a statement from the operator.