18-Year-Old Charged With Hacking 60,000 DraftKings User Accounts

Federal officials have charged an 18-year-old Wisconsin resident for a hack that ensnared 60,000 user accounts at sports betting site DraftKings last year.

Joseph Garrison has been charged with conspiring to drain funds from DraftKings user accounts via a “credential stuffing attack.” This involves taking usernames and passwords exposed in past data breaches and using computer programs to plug the stolen credentials into other sites in an attempt to break into accounts that used the same username/password combinations. 

Federal officials didn’t name the sports betting site. But DraftKings told PCMag it worked with law enforcement to catch the “bad actor(s)” behind the assault. (In December, the company also warned users about the incident.)

Garrison allegedly launched the credential stuffing attack with the help of others on DraftKings in November, successfully comprising about 60,000 accounts. “Garrison then sold access to those victim accounts through various websites that marketed and sold illegal account credentials,” the FBI says in a criminal complaint.  

Garrison sold the hijacked DraftKings accounts with instructions on how to drain the funds, which involved adding a new payment method to a hijacked account. “Using this method, the hackers stole approximately $600,000 from approximately 1,600 victim accounts,” the FBI says.

The instructions

Federal investigators connected Garrison to the crimes by looking at the IP address “that uploaded the instructions to use those stolen credentials to steal money from the victim accounts.” That IP address was tied to a Wisconsin residence belonging to Garrison’s parents. Law enforcement then searched his home, including his home computer and smartphone. 

“On the Garrison computer, law enforcement located at least 69 wordlists which contained at least 38,484,088 individual username and password combinations,” the FBI’s complaint says. Investigators also uncovered messages Garrison sent to his associates about pulling off the hacks, and selling access to hijacked DraftKings accounts. 

“In one particular conversation, Garrison discussed, in substance and in part, how successful he was at credential stuffing attacks, how…