Regulation

“Fraud is fun”: Wisconsin man pleads guilty to $600,000 DraftKings hack

Zak Thomas-Akoo photo

By Zak Thomas-Akoo - 17 Nov, 2023

More about the author
igamingnext photo
Wisconsin resident Joseph Garrison, 19, faced charges in the Southern District of New York relating to a $600,000 hack into DraftKings user accounts.

Following an FBI investigation, Garrison pled guilty to conspiracy to commit computer intrusion before US magistrate judge Robert W. Lehrburger.

The crime carries a maximum penalty of five years in prison. Garrison is due to be sentenced by US district judge Lewis A. Kaplan on 16 January 2024.

“Joseph Garrison and his co-conspirators launched an online cyberattack, stealing approximately $600,000 from innocent victims’ accounts,” said the prosecutor, US attorney Damian Williams.   

“Garrison now stands convicted of a federal crime for targeting the accounts of victims making legitimate online wagers.”

Conspiracy to hack DraftKings accounts

According to charging documents, Garrison took part in a November 2022 “credential stuffing attack” to gain access to DraftKings user accounts.

This involved him taking usernames and passwords from data breaches, which can be bought on the dark web, then attempting to login in with the same details.

Since many individuals use the same password for multiple accounts, Garrison and his co-conspirators were able to gain access to approximately 60,000 DraftKings accounts using this method.

Once accounts were compromised, Garrison and the other involved individuals added a new payment method before depositing $5 to validate.

This enabled users to withdraw all existing funds via the new details. According to prosecutors, Garrison and the co-conspirators were able to steal $600,000 from around 1,600 victims using this approach.

In February 2023, police searched Garrison’s home, discovering the programmes needed to launch a credential stuffing attack.

These require individualised “config” files for a target website. The police said they found around 700 of these files for several corporate websites on Garrison’s computer.

The search also revealed close to 40 million username and password pairs on the computer, another component of a credit stuffing attack.

“Fraud is fun”

Prosecutors also told of how Garrison’s phone contained discussions between Garrison and his co-conspirators.

These involved conversations about hacking DraftKings, as well as ways to profit from the hack by either directly stealing funds or selling on the comprised accounts to another actor.

One conversation, specifically highlighted by prosecutors, saw Garrison brag about his skill and personal enjoyment he received from credential stuffing attacks.  

“fraud is fun . . . im addicted to see money in my account . . . im like obsessed with bypassing shit.”

The case news is just the latest reported hack in the US gaming industry, which has found itself targeted over the last year.

In October, it was revealed land-based and online gaming giant MGM Resorts had been the victim of a phishing hack. The hackers caused chaos over the following week until order was restored.

The company’s competitor on the Vegas Strip, Caesars Entertainment, also had its systems compromised by cyber actors, though the damage was less severe.