18-year-old Joseph Garrison from Madison, Wisconsin He is accused of organizing the hacking of the sports betting site DraftKings and stealing $ 600,000 from hundreds of customer accounts.
According to federal prosecutors in Manhattan, Garrison used stolen usernames and passwords that he bought on the darknet to hack into 60,000 DraftKings accounts last November. He then sold this information to other people, who used it to empty 1,600 customer accounts. This method of hacking is called "credential stuffing" and works best when users use the same password and login on different sites.
"Cheating is fun," Garrison allegedly wrote in a text message to his co-conspirator, according to court documents. "I'm addicted to seeing money in my account."
DraftKings is not named in the criminal complaint, but confirmed that some of its clients ' accounts were compromised during the scheme and said that it returned the stolen money.
"The security and confidentiality of our customers personal and billing information is of paramount importance to DraftKings, " the company said in a statement.
At the time of the hack, Garrison was already facing charges in a separate case in Wisconsin for allegedly paying people in bitcoins online to make bomb threats to his own school in Madison and other cities where his friends lived. This practice is called "swatting". In one such case, Garrison allegedly asked for a threatening phone call because he was bored and wanted to go home, according to court records in Wisconsin.
Garrison turned himself in to New York City authorities on Thursday morning and was scheduled to appear before a judge later that day. It was not immediately clear if he had hired a lawyer in the hacking case, and the lawyer who represented him in the earlier swatting case did not respond to a message seeking comment on the arrest.
While the Wisconsin police department was investigating the "swatting" case, they found evidence that Garrison was involved in a series of hacking scams over several years and accumulated a fortune of $ 2.1 million by the age of 17. He admitted that he earned an average of $ 15,000 a day from 2018 to 2021, but told investigators that he had stopped engaging in any hacking activity, according to court documents.
But five months after that, he allegedly carried out a "credential stuffing" attack on the DraftKings website, prosecutors said. DraftKings employees were able to track down Garrison after they launched their own investigation and bought back some of the stolen credentials that he sold on the dark web.
"Garrison gained unauthorized access to the victims accounts, using a sophisticated cyberattack to steal hundreds of thousands of dollars," said Michael Driscoll of the FBI. "Cyber intrusions aimed at stealing the personal funds of individuals pose a serious threat to our economic security.
The investigation later found that the attacker's IP address, which was used to sell account information, corresponded to the IP address of Garrison's parents home, where he lived.
This is not the first case of hacking a sports betting site. Earlier, we wrote about how hackers stole the data of more than 2 million users of the BetUS site . We also reported on how hackers extorted $ 10 million from SBTech, a company that provides software for sports betting sites.
----
19-year-old Joseph Garrison from Wisconsin, USA, finally pleaded guilty to organizing a large-scale attack on a betting site. For the first time, the teenager became widely known in May of this year , when it was reported that he managed to hack 60 thousand accounts of the DraftKings betting service using the "Credential Stuffing" method.
After gaining access to user accounts, Garrison and his accomplices linked a new payment method in their personal account, adding $ 5 to the account for verification, and then withdrawing all funds deposited to the user's balance through it.
According to the court, the attackers stole about 600 thousand dollars from about 1,600 accounts in this way. During a search of Garrison's computer, the police found about 40 million credentials that could be used in attacks by the method of selection.
In addition, analysis of Garrison's phone revealed correspondence between him and his accomplices, where participants in the scheme discussed potential ways to hack the target site and possible monetization of this procedure.
The final decision of the court is yet to be heard, but the maximum penalty that the teenager faces is up to five years in prison.
This incident clearly demonstrates that the unreliable protection of accounts on popular sites, especially those related to finance, can lead to real damage to its users.: both in the form of loss of funds, and in the form of leakage of confidential data.
Unique complex passwords and two-factor authentication are the security methods that in modern reality should be integrated by default on absolutely all sites with the ability to log in. This is the only way to avoid the risks associated with hacking accounts.
According to federal prosecutors in Manhattan, Garrison used stolen usernames and passwords that he bought on the darknet to hack into 60,000 DraftKings accounts last November. He then sold this information to other people, who used it to empty 1,600 customer accounts. This method of hacking is called "credential stuffing" and works best when users use the same password and login on different sites.
"Cheating is fun," Garrison allegedly wrote in a text message to his co-conspirator, according to court documents. "I'm addicted to seeing money in my account."
DraftKings is not named in the criminal complaint, but confirmed that some of its clients ' accounts were compromised during the scheme and said that it returned the stolen money.
"The security and confidentiality of our customers personal and billing information is of paramount importance to DraftKings, " the company said in a statement.
At the time of the hack, Garrison was already facing charges in a separate case in Wisconsin for allegedly paying people in bitcoins online to make bomb threats to his own school in Madison and other cities where his friends lived. This practice is called "swatting". In one such case, Garrison allegedly asked for a threatening phone call because he was bored and wanted to go home, according to court records in Wisconsin.
Garrison turned himself in to New York City authorities on Thursday morning and was scheduled to appear before a judge later that day. It was not immediately clear if he had hired a lawyer in the hacking case, and the lawyer who represented him in the earlier swatting case did not respond to a message seeking comment on the arrest.
While the Wisconsin police department was investigating the "swatting" case, they found evidence that Garrison was involved in a series of hacking scams over several years and accumulated a fortune of $ 2.1 million by the age of 17. He admitted that he earned an average of $ 15,000 a day from 2018 to 2021, but told investigators that he had stopped engaging in any hacking activity, according to court documents.
But five months after that, he allegedly carried out a "credential stuffing" attack on the DraftKings website, prosecutors said. DraftKings employees were able to track down Garrison after they launched their own investigation and bought back some of the stolen credentials that he sold on the dark web.
"Garrison gained unauthorized access to the victims accounts, using a sophisticated cyberattack to steal hundreds of thousands of dollars," said Michael Driscoll of the FBI. "Cyber intrusions aimed at stealing the personal funds of individuals pose a serious threat to our economic security.
The investigation later found that the attacker's IP address, which was used to sell account information, corresponded to the IP address of Garrison's parents home, where he lived.
This is not the first case of hacking a sports betting site. Earlier, we wrote about how hackers stole the data of more than 2 million users of the BetUS site . We also reported on how hackers extorted $ 10 million from SBTech, a company that provides software for sports betting sites.
----
19-year-old Joseph Garrison from Wisconsin, USA, finally pleaded guilty to organizing a large-scale attack on a betting site. For the first time, the teenager became widely known in May of this year , when it was reported that he managed to hack 60 thousand accounts of the DraftKings betting service using the "Credential Stuffing" method.
After gaining access to user accounts, Garrison and his accomplices linked a new payment method in their personal account, adding $ 5 to the account for verification, and then withdrawing all funds deposited to the user's balance through it.
According to the court, the attackers stole about 600 thousand dollars from about 1,600 accounts in this way. During a search of Garrison's computer, the police found about 40 million credentials that could be used in attacks by the method of selection.
In addition, analysis of Garrison's phone revealed correspondence between him and his accomplices, where participants in the scheme discussed potential ways to hack the target site and possible monetization of this procedure.
The final decision of the court is yet to be heard, but the maximum penalty that the teenager faces is up to five years in prison.
This incident clearly demonstrates that the unreliable protection of accounts on popular sites, especially those related to finance, can lead to real damage to its users.: both in the form of loss of funds, and in the form of leakage of confidential data.
Unique complex passwords and two-factor authentication are the security methods that in modern reality should be integrated by default on absolutely all sites with the ability to log in. This is the only way to avoid the risks associated with hacking accounts.
