You are here

Suspect Detained in DraftKings HACKING Case: $600,000 Stolen

Joseph Garrison, 18, of Madison, WI, has surrendered himself to the authorities in connection with a hacking enterprise that the authorities say led to $600,000 being stolen from DraftKings customers. In a press release dated Thursday, May 18, 2023, the United States Attorney's Office for the Southern District of New York explained how this scheme allegedly operated and what charges Garrison faces.

In a Hacking Incident, More Than $600,000 Was Stolen From DraftKings Customer Accounts

How Were the Accounts Hacked?

According to the FBI, Garrison started a credential stuffing attack against DraftKings in November 2022. In this type of attack, a malicious actor obtains username and password information from compromised systems and then attempts to use this information to obtain access to other accounts. This type of attack works because many people foolishly use the same account credentials for multiple accounts.

In this case, law enforcement says, the accused was able to obtain almost 40 million pairs of usernames and passwords derived from data breaches at other companies. Garrison and others then tried inputting these credentials at DraftKings using automated software and were successful in accessing 60,000 accounts. Rather than attempting to steal directly from these DraftKings customers, Garrison sold the compromised account information to others and provided instructions on how to remove funds from them.

How Was Money Stolen From Accounts?

In order to withdraw money from the hacked accounts, wrongdoers first had to set up two-factor authentication with DraftKings using their own phone numbers. Then they added their own payment method and deposited $5. Once the deposit went through, that payment channel became available for withdrawals, and it was then used to cash out the entire balance of the account.

People who purchased stolen usernames and passwords received detailed instructions on how to empty the accounts of funds

Garrison Provided Explicit Instructions on How to Steal Funds From DraftKings Accounts

The FBI states that around 1,600 customer accounts were targeted in this manner, and approximately $600,000 was stolen from them.

According to court documents, Joseph Garrison sold account credentials for rival betting site FanDuel as well. However, it does not appear that any FanDuel customers were negatively affected.

The Charges Against Mr. Garrison

Joseph Garrison is facing six separate charges. They are:

Conspiracy to commit computer intrusions, with a maximum sentence of five years
Unauthorized access to a protected computer to further intended fraud, with a maximum sentence of five years
Unauthorized access to a protected computer, with a maximum sentence of five years
Wire fraud, with a maximum sentence of 20 years
Aggravated identity theft, with a mandatory minimum sentence of two years

Following a court appearance on May 18, Garrison was released on $100,000 bond. The case is being prosecuted by the Complex Frauds and Cybercrime Unit of the United States Attorney's Office for the Southern District of New York. The authorities didn't explicitly state why the case was filed in the Southern District of New York, but it's perhaps relevant that 30 of the compromised accounts belong to users located within this area.

About DraftKings

DraftKings was founded in 2012 as a Daily Fantasy Sports company with its headquarters in Boston, MA. After years of steady growth as a DFS provider, it added traditional sports betting to its lineup in August 2018 following the landmark Murphy decision by the Supreme Court.

The DraftKings website contains sections for daily fantasy sports, sports betting, and casino games depending on the state

Website of DFS and Sports Betting Provider DraftKings

DraftKings now offers sports betting in 21 states along with DFS in 45 states. In addition, the company provides online casino services in five states. The firm is traded on NASDAQ under the ticker symbol “DKNG.”

How Was Garrison Caught?

In November 2022, DraftKings alerted law enforcement that valid user account details were being traded on illicit websites. An undercover agent was able to purchase account credentials from one of these websites and verified with DraftKings that the email addresses sold corresponded with active betting accounts.

After purchasing the purloined account information, the undercover officer received images containing instructions about how to access the funds in the account. Law enforcement was able to obtain the IP addresses from which the images were uploaded to image hosting sites and were then able to connect one of the IP addresses to the house where Joseph Garrison lives with his parents.

On February 23, 2023, officers raided the Garrison house, having obtained a search warrant. They found dozens of files on a computer containing nearly 40 million pairs of usernames and passwords. They also identified software often used in credential stuffing attacks. They also found on the PC originals of the images illustrating how to steal money from betting accounts.

On Garrison's phone, they found discussions about how to conduct hacking attacks, including such details as bypassing CAPTCHA checks, chats about selling account information, and balances of some of the accounts.

They also found messages where Garrison seemed to be bragging about the criminal scheme, like the following:

im back to cracking
im getting sites no1 has had for like ever and shit
i have every captcha bypassed
fraud is fun
im addicted to see money in my account
…
idk im like obsessed with bypassing shit

Garrison's Unsavory Past

The isn't the first time Joseph Garrison has had a run-in with the law. During a June 2022 interview with police, he stated that he made about $800,000 selling hacked accounts on a website called “Goat Shop.”

Then in August 2022, Garrison was arrested for making terrorist threats. He supposedly made threatening calls to Vel Phillips Memorial High School in Madison, WI, as well as several schools in Texas and Pennsylvania. Police said that he admitted to paying others to make the threatening calls.

Comments About the Case

FBI Assistant Director in Charge Michael J. Driscoll has the following to say:

As alleged, Garrison attained unauthorized access to victim accounts using a sophisticated cyber-breaching attack to steal hundreds of thousands of dollars. Cyber intrusions aiming to steal private individuals’ funds represent a serious risk to our economic security. Combatting cyberattacks and holding the responsible threat actors accountable in the criminal justice system remains a top priority for the FBI.

DraftKings stated:

The safety and security of our customers’ personal and payment information is of paramount importance to DraftKings. We worked with law enforcement in catching the alleged bad actor(s), and we want to thank the Department of Justice, including the FBI and U.S. Attorney, Southern District of New York, for their prompt and effective action.

According to DraftKings, the company reimbursed the balances of users who were affected by the breach.

Guarding Against Cyber Attacks

There are a number of steps consumers can take to avoid security breaches like the one that took place at DraftKings. Perhaps the most obvious one is not reusing the same password for multiple accounts.

Another measure you can take is to turn on two-factor authentication, which will send a code to your phone whenever someone attempts to log in to your account. This code will need to be entered within a certain timeframe in order to log in. Because they will lack this code, hackers will not be able to easily access your account even if they somehow manage to acquire your username and password.

Perhaps one reason why so many users neglected these simple security measures is that they had faith in the fact that DraftKings is a state-licensed organization. After all, enhanced user security is often touted as a benefit of betting sites that are fully regulated by state authorities as opposed to offshore sites.

However, we have seen that “regulated” does not always translate into “safer.” In the same month that Joseph Garrison supposedly began his crooked dealings with DraftKings accounts, we reported on an unrelated scam that saw money surreptitiously taken from the accounts of online poker players. In that case also, the affected sites were state-licensed and -regulated.

Meanwhile, we haven't recently seen any stories about similar happenings at offshore betting sites. Maybe, because most of them have been in operation for a decade or longer, they have greater experience in countering these kinds of threats. Or perhaps, because their payment methods tend not to be integrated tightly with traditional banking systems, they're not as lucrative a target for would-be thieves. Whatever the reasons, international gaming sites are often safer from hackers and other malefactors than in-state, domestic sites.

Safe Betting Possible No Matter What State You Reside In

If you're in a state that DraftKings doesn't yet accept customers from or you're looking for an alternative to the limited offerings at state-licensed bookmakers, then you have many offshore options. To learn more about them, check out this rundown of the best online sportsbooks for Americans.

When it comes to poker too, you have legit places to play even if your state hasn't implemented online poker legalization yet. Peruse this guide to USA internet poker for additional information about the sites available to you and their individual strengths and weaknesses.