Eventually tracked down
A teenager who infiltrated DraftKings and helped to steal more than $600,000 from users has pled guilty to hacking the platform. Joseph Garrison gained access to over 60,000 accounts in November 2022 through a method called credential stuffing.
In this type of attack, a hacker uses the stolen credentials accumulated from major data breaches to access accounts that the person holds with other companies. This strategy works when the same password is in use.
carrying a maximum prison sentence of five years
The FBI eventually linked Garrison to the hack and the Southern District of New York’s Complex Frauds and Cybercrime Unit began prosecuting the case. Garrison pled guilty on Wednesday to a single count of conspiracy to commit computer intrusion, carrying a maximum prison sentence of five years. The sentencing is taking place on January 16 with US District Judge Lewis Kaplan.
The operation
The 19-year-old sold the access details of users to other individuals and instructed buyers on how to get their hands on funds. With some of the accounts, infiltrators were able to introduce a new payment method. They could then add $5 to verify the method before withdrawing the entire balance.
The teenager sold the details on cybercrime marketplaces, charging up to $10 per DraftKings account. An image on Garrison’s phone showed that he had sold 225,247 products for a total lifetime revenue of $2.1m.
DraftKings reimbursed all of the stolen funds
The co-conspirators tracked the response from DraftKings to the attack, providing updates when the operator reset the passwords of all the impacted accounts. Ultimately, DraftKings reimbursed all of the stolen funds.
Garrison also tried to hack into FanDuel accounts around the same time. The operator confirmed that the infiltrators did not get access.
An abundance of evidence
The authorities searched Garrison’s Wisconsin residence in February and discovered programs that hackers often use for carrying out credential-stuffing attacks. Law enforcement also found files that held almost 40 million password and username combinations.
Garrison’s phone contained conversations with his co-conspirators, including details on how to hack DraftKings. Garrison boasted about his skills in carrying out credential-stuffing attacks. In one of the specific messages highlighted by prosecutors, Garrison said that fraud is “fun” and that he’s addicted to seeing money hitting his accounts.