A Wisconsin man has been charged in connection with a sophisticated scheme to illegally gain access to hundreds of unauthorized customer accounts at a sports betting website in late 2022, federal prosecutors announced Thursday.
The U.S. Attorney’s Office of the Southern District of New York announced the unsealing of a six-count indictment against Joseph Garrison, a resident of Madison, Wisconsin. Garrison, 18, and several others allegedly accessed roughly 60,000 accounts at the website through a technique known as βcredential stuffing.β
The technique typically involves a hacker utilizing log-in credentials from a third-party site to gain access to a user’s account at a highly secure website. A hacker can gain unauthorized access into an account by obtaining a user’s password from a local bank or gym, for example, then using the same log-in credentials at a major e-commerce site, or in this case an online sports betting account.
18-Year-Old Hacker Charged Over Theft Of 60,000 DraftKings Accounts https://t.co/dMxHI995rY
— AwesomeAlways (@adelovelyspice) May 18, 2023
Garrison, according to the U.S. Attorney’s Office, launched a credential stuffing attack on Nov. 18, 2022. Three days later, DraftKings identified a pattern of irregular activity on customer accounts. At the time, the company noted that less than $300,000 of customer funds were impacted by the account takeovers.
While prosecutors did not name the sports betting and daily fantasy website impacted in the breach, DraftKings was targeted in the attack, CNBC reported. Last December, the three definitive leaders in the U.S. mobile sports betting market βΒ FanDuel, DraftKings, and BetMGMΒ β all reported an uptick in cybersecurity disruptions at the end of 2022.
All told, Garrison and others stole approximately $600,000 from about 1,600 victim accounts, according to the indictment.
“As alleged, Garrison used a credential stuffing attack to hack into the accounts of tens of thousands of victims and steal hundreds of thousands of dollars,” said Damian Williams, U.S. Attorney for the Southern District of New York, in a statement. “Thanks to the work of my Office and the FBI, Garrison learned that you shouldnβt bet on getting away with fraud.”
A DraftKings spokesman did not respond to a request from Sports Handle for comment. When reached by Sports Handle, a FanDuel spokesman declined comment.
Aggressive pursuit by law enforcement
During a credential stuffing attack, a cyber threat actor collects stolen credentials, or username and password pairs, obtained from other large-scale data breaches of other companies, which can be purchased on the so-called “dark web.” According to an affidavit presented by an FBI special agent, Garrison sold access to the victim accounts through websites on the dark web that marketed and sold illegal account credentials. In some cases, the individuals who accessed the stolen accounts added a new payment method to the account, then deposited only $5 to verify the new method.
From there, the criminal actors were able to withdraw the existing funds from a victim’s account through the new payment method, a new fraudulent account belonging to a hacker. In one notable case, a DraftKings customer in Kansas City had most of the $19,439 inΒ funds from his DraftKings account cleared out as the Kansas City Chiefs faced the Los Angeles Chargers on Sunday Night Football. The customer had the funds returned approximately 40 minutes later, according to Yahoo Finance.
Given today's update by @jgolden5 … here is the story as it was described back in November 2022…
DraftKings says no evidence systems were breached following report of a hackhttps://t.co/obYg2nUVlZ
— Alfonso Straffon π¨π·πΊπΈπ²π½ (@astraffon) May 18, 2023
At some point last November, the betting website informed law enforcement officials that representatives from the site purchased stolen credentials to investigate the hack. As part of the purchase, representatives from the site received instructions on how to steal money from the intercepted victim accounts, according to the criminal complaint.
The website later cross-referenced the status of an intercepted account on its own system and observed that funds had been withdrawn from the account on or about Nov. 18, 2022, in a “manner consistent with the hacking instructions.” In addition, representatives from the site observed that a particular IP address was used to access the account around the same time.
By January, an undercover agent assigned to the case swung into action.
Defendant: ‘Fraud is fun’
On Jan. 9, Georgia won its second straight national title in college football, thrashing TCU 65-7 in the championship game. On or around that day, the undercover agent purchased usernames and passwords for two victim accounts at a cost of $11 total. Upon the purchase, the agent received instructions on how the credential pairs could be used to steal money from accounts of the unsuspecting victims. The credentials were transmitted and downloaded by the agent from an office in New York.
By late February, law enforcement officials executed a search of Garrison’s computer, cellphone, and other items inside his family’s Wisconsin residence. During the investigation, officials detected two programs on the computer: OpenBullet and SilverBullet, software that is used to execute credential stuffing attacks.
Officials also discovered 11 so-called “config files” from a betting website, files that are needed for a website to launch a credential stuffing excursion. In total, law enforcement officials detected about 700 separate configs for potential attacks against dozens of other company websites, according to the indictment. Through the search, law enforcement located at least 69 wordlists containing more than 38.4 million username and password combinations.
There is a high chance this arrest (of an 18-year-old!) is connected to the DraftKings breaches in November 2022.
It is probably NOT related to the BetMGM fake accounts in Oct/Nov, as that was not credential stuffing, and it was based out of San Diego, not Wisconsin. https://t.co/OHxXhK9A1M
— Todd Witteles (@ToddWitteles) May 18, 2023
Josh Chin, managing partner of Net Force, a member of the Cyber Task Force Security, indicated that it is a positive development any time the Justice Department can “bring an indictment forward” in a high-profile hacking case. The result may have been different, he emphasized, if the defendants were part of a transnational hacking syndicate located outside of the U.S.
“There are always different factors and variables. We should applaud anytime the FBI can nail one of these guys,” Chin told Sports Handle. “It should be celebrated, especially when you think about how global our world is.”
Over the course of the investigation, law enforcement also intercepted conversations between Garrison and a co-conspirator in September 2022, weeks before the intrusion of the betting site. At one point, Garrison told a co-conspirator that he hacked into sites that no one else breached and declared, “Fraud is fun.”
Moments later, he bragged, “I’m addicted to see[ing] money in my account,” adding that he was “obsessed with bypassing sh**.” The conspirator cautioned Garrison to cool it down because he was “already under enough heat,” plus he’d made “six figures” in a single afternoon.
Response from state regulators
Over the last year, several states with legal sports betting have passed enhanced standards on multi-factor authentication (2FA). The new regulations on 2FA provide an extra layer of protection, as customers are required to verify their identity through email or SMS text before gaining access to their account. In the wake of the cyber breaches, the Nevada Gaming Commission adopted a set of regulations that created new cybersecurity requirements for certain online gambling operators.
The risks posed to the security of customer accounts became a hot topic at last December’s National Council Of Legislators From Gaming States (NCLGS) Winter Meeting in Las Vegas.
“Weβre going to have high standards to ensure that consumersβ privacy will be protected,β said Indiana state Sen. Jon Ford in an interview withΒ Sports Handle. βIf places donβt do it, they could lose their license.β Ford serves as the president of NCLGS.
State legislators and regulators are brainstorming ways to curb cyber attacks in the wake of last month's breach. @MattRybaltowski explores:
– A look at 'credential stuffing '
– The approach for new states
– Outrunning the regulators #sportsbettinghttps://t.co/Fw5NM7zrpY— Sports Handle (@sports_handle) December 15, 2022
While sportsbooks can mitigate risks of a cyber breach with enhanced protections, quite often the onus falls on the customers themselves, according to cybersecurity experts. Bettors can help themselves by maintaining “proper cyber hygiene” in using sports wagering passwords that differ from those they use for less secure local sites. Gamblers on leading sports wagering sites are also instructed to change their passwords often.
Chin described the incident as “a canary in a coal mine,” signaling potential danger if changes are not made soon enough.
“It should be a huge wake-up call for everyone, in sports betting and anything else that’s out there,” he told Sports Handle. “Whether it’s crypto accounts or Amazon, it should be a continuous wake-up call.
“It’s easy to get desensitized to these incidents. We shouldn’t.”
The alleged hacker, Joseph Garrison, pulled off the scheme using stolen passwords from other data breaches. 'Fraud is fun,' he texted an associate last year. https://t.co/jY50os8rUR
— PCMag (@PCMag) May 19, 2023
After Garrison made an appearance Thursday in Manhattan federal court, he was released on a $100,000 bond, according to court records obtained by Heavy.com.
Garrison is also facing charges in Wisconsin in connection with calling in bomb threats and making terrorist threats to schools in the Madison area last year, court records show. The teenager pleaded not guilty in the case.
The six charges in the hacking case carry imprisonment of anywhere from five to 20 years per charge. If Garrison is convicted of wire fraud, he will face a maximum sentence of 20 years in prison on that charge.
