Teen DraftKings Alleged Hacker Charged with $600k Fraud by Feds
A Wisconsin teenager is facing multiple counts of fraud and other crimes after he and other cyber thieves hacked and then sold access to DraftKings’ betting accounts. More than $600,000 in customer funds were allegedly lost last year during the attacks.
The teen, 18-year-old Joseph Garrison, of Madison, Wisconsin, turned himself in to an FBI investigator in New York City on Thursday. He will appear in court this week for preliminary hearings.
Prompt and Effective Action
Despite not being named directly in the official statement on the case from the United States Attorney for the Southern District of New York, it was being widely reported that the victim betting site was, in fact, DraftKings.
The fantasy sports and betting website confirmed it was hacked back in November 2022.
“The safety and security of our customers’ personal and payment information is of paramount importance to DraftKings,” the company told CNBC after it was named in the media.
“We worked with law enforcement in catching the alleged bad actor(s), and we want to thank the Department of Justice for their prompt and effective action.”
Fraud is Fun
Garrison obtained a huge list of online credentials off the dark web, presumably from other compromised sites.
He and his fellow perpetrators then used that information to spam DraftKings until any combinations of passwords and emails proved to match.
They would then either mark the account as one worth stealing from in order to sell the information, or attempt themselves to clean it out of funds.
When they did it themselves, it was reportedly quite a simple process.
Once logged in, hackers would set up a new payment method for the account, deposit $5 to confirm it, and then withdraw the entire existing account balance to their own new payment method.
It is estimated some 60,000 DraftKings accounts were accessed in this way. More than $600,000 was stolen from approximately 1,600 of them.
During the investigation, law enforcement raided Garrison’s Wisconsin residence.
Seized were more than 700 files for setting up such “credential stuffing” attacks, and nearly 40 million username and password combinations.
Feds also found brazen communications stating how much money and enjoyment Garrison was getting from his crimes.
“Fraud is fun . . . im addicted to seeing money in my account . . . im like obsessed,” read one of Garrison’s text messages to another alleged fraudster.
It has been reported that at the time of the hacks, Garrison was already under federal investigation for his part in a series of hoax bomb threats, or “swatting” incidents, at schools in his local area.
Wire Fraud Conspiracy
If found guilty on all counts, Garrison could spend the rest of his life in prison.
He faces six federal charges, including wire fraud, wire fraud conspiracy, aggravated identity theft, unauthorized access to a protected computer, and conspiracy to commit computer intrusions.
A maximum sentence isn’t the most likely outcome. But even the minimum sentences for each of those crimes add up to more than 10 years.
The prosecution will be led by U.S Attorneys Kevin Mead and Micah Ferguson, under their office’s Complex Fraud and Cyber Crimes Units.