A boastful teenage hacker has been charged with orchestrating a break-in to the sports betting website DraftKings, which led to $600,000 being drained from hundreds of customer accounts.
Joseph Garrison, 18, of Madison, Wis., is accused of using stolen log-in and password combinations he bought on the dark web to hack his way into 60,000 accounts on DraftKings last November. He then sold the information to others who used it to drain 1,600 customer accounts, federal prosecutors in Manhattan said.
This technique of hacking is known as credential stuffing, which works best when online users utilize the same password and log-in name across multiple sites.
“Fraud is fun,” Garrison allegedly wrote in a text message to a co-conspirator, court documents said. “I’m addicted to seeing money in my account.”
DraftKings is not named in the criminal complaint, but at the time of Garrison’s alleged cyberattack the company issued a statement saying some customer accounts had been compromised and included several details that match prosecutors’ description. CNBC has reported that DraftKings is the company involved in the alleged Garrison hack, citing a source close to the company.
“Garrison attained unauthorized access to victim accounts using a sophisticated cyber-breaching attack to steal hundreds of thousands of dollars,” said Michael Driscoll of the FBI. “Cyber intrusions aiming to steal private individuals’ funds represent a serious risk to our economic security.”
At the time of the hack, Garrison was already facing charges in a separate case in Wisconsin for allegedly paying people in Bitcoin online to phone in bomb threats to his own high school in Madison and in other cities where his friends lived, a practice known as “swatting,” according to court documents. In the case of one such call, Garrison allegedly requested the threat be called in because he was bored and wanted to go home, according to court records in Wisconsin.
Garrison surrendered to authorities in New York on Thursday morning and was scheduled to make his first appearance before a judge later in the day. It wasn’t immediately clear if he had retained an attorney in the hacking case and an attorney who represented him in the earlier swatting case didn’t immediately respond to a message seeking comment.
While under investigation in the swatting case, police in Wisconsin discovered evidence that Garrison had been involved in a number of hacking scams for years and had amassed a fortune of $2.1 million by the age of 17. He admitted making $15,000 a day on average from 2018 through 2021, but told investigators he had ceased being involved in any hacking activity, court documents said.
But five months later, he allegedly committed the credential stuffing attack on the DraftKings site, prosecutors said. Employees at DraftKings were able to zero in on Garrison after launching their own investigation and buying back some of the stolen credentials he was selling on the dark web, prosecutors said.
At the time of the attack, DraftKings issued a public statement acknowledging that some of its customer accounts had been compromised. A message left with representatives of DraftKings wasn’t immediately returned.
Investigators later determined that the IP address the thief used to sell the account information, matched that connected to Garrison’s parents’ home, where he lived.