Report: Teenager pleads guilty to stealing $600,000 from DraftKings users in 2022 hack
Joseph Garrison boasted “fraud is fun” as he pleaded guilty to stealing from around 1,600 user accounts in November 2022
Wisconsin teenager Joseph Garrison has pleaded guilty in a New York federal court to stealing over $600,000 from DraftKings user accounts in November 2022.
According to reports from CNBC, Garrison used a credential stuffing attack to gain access to around 60,000 accounts.
According to a criminal complaint in the US District Court in Manhattan, Garrison boasted that “fraud is fun” in a message he sent out to co-conspirators before his arrest.
He also wrote, “I’m addicted to see money in my account” and “I’m obsessed with bypassing s***”.
The Manhattan US Attorney’s Office said that on November 18 2022, Garrison launched the credential stuffing attack on the operator’s website.
Perpetrators in such attacks use stolen user data from previous data breaches to gain authorized access to their accounts.
Prosecutors said in some instances, the DraftKings hackers were able to add a new payment method to an account, deposit $5 to verify the payment type, and then drain the accounts of all available funds.
Around 1,600 accounts were drained during this hack. The operator, who was not named in the suit, confirmed that the accounts had been compromised and that it had reimbursed all the money stolen from its users.
Investigators searched Garrison’s home in February 2023, where they allegedly found the programs used to commit the hack.
He used over 700 individual files to create a website to launch the attacks from his computer. During the investigation, officers found 40 million username and password combinations.
Following his guilty plea, Garrison will be sentenced on January 16 2024 and could face up to five years in prison for conspiring to commit computer intrusion.