Teenage DraftKings Hacker Pleads Guilty After Theft of $600,000 From User Accounts

  • Joseph Garrison hacked into over 60,000 accounts in November 2022
  • He sold the access details and instructed buyers on how to withdraw funds
  • The authorities found a lot of evidence after searching his home in February
A teenage hacker has pled guilty after infiltrating 60,000 DraftKings accounts. [Image: Shutterstock.com]

Eventually tracked down

A teenager who infiltrated DraftKings and helped to steal more than $600,000 from users has pled guilty to hacking the platform. Joseph Garrison gained access to over 60,000 accounts in November 2022 through a method called credential stuffing.

In this type of attack, a hacker uses the stolen credentials accumulated from major data breaches to access accounts that the person holds with other companies. This strategy works when the same password is in use.

carrying a maximum prison sentence of five years

The FBI eventually linked Garrison to the hack and the Southern District of New York’s Complex Frauds and Cybercrime Unit began prosecuting the case. Garrison pled guilty on Wednesday to a single count of conspiracy to commit computer intrusion, carrying a maximum prison sentence of five years. The sentencing is taking place on January 16 with US District Judge Lewis Kaplan.

The operation

The 19-year-old sold the access details of users to other individuals and instructed buyers on how to get their hands on funds. With some of the accounts, infiltrators were able to introduce a new payment method. They could then add $5 to verify the method before withdrawing the entire balance.

The teenager sold the details on cybercrime marketplaces, charging up to $10 per DraftKings account. An image on Garrison’s phone showed that he had sold 225,247 products for a total lifetime revenue of $2.1m.

DraftKings reimbursed all of the stolen funds

The co-conspirators tracked the response from DraftKings to the attack, providing updates when the operator reset the passwords of all the impacted accounts. Ultimately, DraftKings reimbursed all of the stolen funds.

Garrison also tried to hack into FanDuel accounts around the same time. The operator confirmed that the infiltrators did not get access.

An abundance of evidence

The authorities searched Garrison’s Wisconsin residence in February and discovered programs that hackers often use for carrying out credential-stuffing attacks. Law enforcement also found files that held almost 40 million password and username combinations.

Garrison already had a criminal record. He was charged previously for paying individuals with Bitcoin to call in bomb threats to his high school.

Garrison’s phone contained conversations with his co-conspirators, including details on how to hack DraftKings. Garrison boasted about his skills in carrying out credential-stuffing attacks. In one of the specific messages highlighted by prosecutors, Garrison said that fraud is “fun” and that he’s addicted to seeing money hitting his accounts.

Leave a Reply

Your email address will not be published. Required fields are marked *