A Madison, Wisconsin teen has been charged with a massive credential stuffing attack that targeted DraftKings users in November 2022.
Madison, Wisconsin – In December 2022, an in-depth report by Hackread.com shed light on a series of data breaches that had targeted two prominent online casinos, DraftKings and BetMGM. Now, an 18-year-old Wisconsin man has been accused of orchestrating a credential-stuffing campaign that targeted users of the popular US betting platform DraftKings.
Joseph Garrison, hailing from Madison, was charged Thursday, May 18, 2023, with a slew of serious offences, including conspiracy to commit computer intrusions, unauthorized access to a protected computer, wire fraud conspiracy, and aggravated identity theft. If convicted, Garrison could face a maximum sentence of 57 years.
The alleged attack took place on November 18, 2022, of the previous year, when Garrison supposedly initiated his assault on unsuspecting DraftKings customers. Employing classic credential stuffing techniques, the teenager reportedly utilized stolen lists of usernames and password combinations to gain simultaneous access to various online accounts that may have shared identical login credentials.
Garrison’s modus operandi allowed him to breach approximately 60,000 user accounts on the DraftKings platform. Through his unauthorized access, he was able to add new payment methods to targeted accounts, deposit a nominal sum of $5 to verify the validity of the payment method, and subsequently withdraw all available funds.
The extent of the financial damage caused by Garrison and his cohorts is estimated to be around $600,000, affecting approximately 1,600 victim accounts. This figure, as disclosed by the US Attorney’s Office for the Southern District of New York, surpasses initial estimates, which had suggested that only $300,000 was stolen from customer accounts during the incident.
In a startling revelation, law enforcement officers who conducted a search of Garrison’s residence in February discovered incriminating evidence. They stumbled upon credential stuffing software, including 700 “config” files used for dozens of targeted websites, as well as files containing a staggering 40 million login combinations.
Furthermore, Garrison’s smartphone contained conversations with co-conspirators detailing strategies for hacking into DraftKings accounts and extracting funds. In one particularly damning exchange, Garrison allegedly expressed his delight in fraudulent activities, stating, “Fraud is fun… I’m addicted to seeing money in my account.”
The case against Garrison serves as a stark reminder of the growing threat posed by cybercriminals utilizing credential-stuffing techniques. DraftKings, a prominent platform in the online betting industry, was targeted in this sophisticated attack, leading to significant financial losses for numerous users.
As cybersecurity continues to be a pressing concern, both individuals and organizations must remain vigilant in safeguarding their personal information and employing strong, unique passwords across various online accounts.