An 18-year-old has been charged with hacking into the accounts of around 60,000 users of the DraftKings sports betting website in November 2022. Joseph Garrison is accused of using an extensive list of credentials from other breaches to hack into the accounts. He then sold access to the hijacked accounts, and the buyers stole approximately $600,000 from around 1,600 compromised accounts.
The Department of Justice didn’t name the betting site targeted in the attack, but the announcement coincides with previously reported credential stuffing attacks to both DraftKings and FanDuel in November 2022. The scheme involved using a list of stolen credentials to log into users’ accounts and then change the passwords and email addresses associated with the accounts. This made it difficult for the rightful owners of the accounts to regain access.
The buyers of the hijacked accounts then used them to place bets on various sporting events. In some cases, they were able to win large sums of money. However, the money was ultimately stolen from the rightful owners of the accounts.
DraftKings statement on hack
In a statement to CNBC, DraftKings said: “The safety and security of our customers’ personal and payment information is of paramount importance to DraftKings. We worked with law enforcement in catching the alleged bad actor(s), and we want to thank the Department of Justice, including the FBI and U.S. Attorney, Southern District of New York, for their prompt and effective action.”
The initial reports of the DraftKings and FanDuel hacks from November 2022 estimated stolen funds at $300,000. However, the DOJ announcement gives further clarity to the extent of the stolen funds and cybercriminal activity.
Garrison wrote to co-conspirators according to federal prosecutors that “fraud is fun” and that he “is addicted to seeing money in my account.”
DraftKings: What is a Credential Stuffing Attack?
Credential stuffing attacks are leveraged when large target platforms are breached and the credentials are released usually on the dark web. Hackers can then leverage the stolen credentials to try using the same credentials on other popular websites and platforms—essentially targeting users who don’t create unique passwords.
Garrison has been charged with one count of conspiracy to commit wire fraud and one count of aggravated identity theft. If convicted, he faces up to 20 years in prison.
This case is a reminder of the importance of using strong passwords and enabling two-factor authentication on your online accounts. Using reputable password managers or passkeys when possible can help prevent credential stuffing attacks. By taking these steps, you can make it more difficult for hackers to gain access to your accounts.
