An 18-year-old Wisconsin man has been charged with allegedly playing a central role in the theft of $600,000 from DraftKings customer accounts.
Joseph Garrison – who potentially faces years in the clink if convicted and apparently bragged to his co-conspirators that “fraud is fun” – surrendered to the cops Thursday morning in New York City and appeared before a judge later that afternoon.
He has been charged with conspiracy to commit computer intrusions, unauthorized access to a protected computer to further intended fraud, unauthorized access to a protected computer, wire fraud and wire fraud conspiracy, and aggravated identity theft.
According to the six-count criminal complaint [PDF] that was unsealed this week, Garrison’s alleged crime spree started with a credential-stuffing attack against DraftKings, which prosecutors only identified as “the betting website,” in November 2022.
Credential stuffing is where you have a list of username-password combinations for one website or app, and you throw those login details at other sites to see if any of them also work, taking advantage of the fact that people use the same usernames, email addresses and passwords across multiple services. That’s why using a strong unique password per site, with multi-factor authentication if possible, is ideal so that if one user database is stolen, the impact is limited.
As we reported at the time, the Boston-based sports gambling biz said that the login information of the impacted customers was stolen elsewhere and applied to their DraftKings accounts, where some passwords were reused. A classic stuffing attack.
After spotting the caper in November, “DraftKings provided notice to customers in relevant jurisdictions and restored amounts for a limited number of users who may have had funds improperly withdrawn from their accounts,” a spokesperson told The Register.
“The safety and security of our customers’ personal and payment information is of paramount importance to DraftKings,” the spokesperson continued. “We worked with law enforcement in catching the alleged bad actor(s), and we want to thank the Department of Justice, including the FBI and US Attorney, Southern District of New York, for their prompt and effective action.”
It’s unclear where Garrison and his fellow miscreants obtained the account credentials as alleged but these are easy enough to buy in bulk on the dark web after they’ve been stolen from other databases in earlier security breaches.
What’s more, crooks can use scripting and other programs to quickly see if email address and password combos work on other sites. With the help of this automation, the alleged fraudsters successfully used previously purloined names and passwords to compromise about 60,000 accounts belonging to DraftKings users, according to prosecutors.
Garrison then allegedly sold access to these accounts, the Feds claim, along with instructions on how to drain the money from the compromised accounts. In some cases, crooks would withdraw all the funds in an account by transferring them to a newly added financial account belonging to the criminals, we’re told.
This scam allegedly netted Garrison and his customers about $600,000 from some 1,600 victim accounts, according to court documents. That’s up from the $300,000 DraftKings at least initially told the media last year, we note.
‘Fraud is fun’
When law enforcement searched Garrison’s home in February, they found computer programs used for credential stuffing attacks as well as files containing almost 40 million usernames and passwords on Garrison’s computer, it is claimed.
Additionally, the Feds claim to have found records of incriminating conversations between Garrison and his co-conspirators about how to break into the sport betting site and how to steal funds from victims’ accounts. In a series of chats between Garrison and a co-conspirator from September 14, 2022, and September 16, 2022, Garrison bragged about his credential-stuffing prowess, it is claimed.
“I quit simming,” one September 14 message says, referring to SIM swapping, and “I’m back to cracking…im getting sites no1 has had for like ever and shit…i have every captcha bypassed.”
Then, two days later, Garrison messaged the same co-conspirators and said, “fraud is fun…im addicted to see money in my account…im like obsessed with bypassing shit,” the Feds claimed.
In announcing the charges, US Attorney Damian Williams said Garrison may well learn an important lesson: “You shouldn’t bet on getting away with fraud.” ®