An 18-year-old Wisconsin man has been charged with crimes related to a cyberattack on a fantasy sports and betting site this past fall that impacted approximately 60,000 accounts, according to an indictment unsealed Thursday by the United States Attorney’s Office of the Southern District of New York.
Joseph Garrison of Madison, Wisconsin, was charged with six counts of conspiracy, fraud and identity theft during a credential stuffing attack that began in mid-November. In a credential stuffing attack, the culprits use stolen usernames and passwords that often are obtained on the dark web.
The charges carry a maximum sentence of 20 years in prison, if convicted. Garrison surrendered to authorities Thursday in New York, according to the news release announcing the indictment.
“As alleged, Garrison attained unauthorized access to victim accounts using a sophisticated cyber-breaching attack to steal hundreds of thousands of dollars,” FBI assistant director in charge Michael J. Driscoll said in the release. “Cyber intrusions aiming to steal private individuals’ funds represent a serious risk to our economic security. Combatting cyberattacks and holding the responsible threat actors accountable in the criminal justice system remains a top priority for the FBI.”
The indictment did not identify the betting site, but DraftKings later released a statement saying it worked with law enforcement in the investigation.
“The safety and security of our customers’ personal and payment information is of paramount importance to DraftKings. We worked with law enforcement in catching the alleged bad actor(s), and we want to thank the Department of Justice, including the FBI and U.S. Attorney, Southern District of New York, for their prompt and effective action,” a DraftKings spokesperson said in the statement.
“As we stated previously, bad actor(s) were able use login credentials obtained from a third-party source to gain access to certain user accounts. When the identified credential stuffing incident occurred in November 2022, DraftKings provided notice to customers in relevant jurisdictions and restored amounts for a limited number of users who may have had funds improperly withdrawn from their accounts.”
FanDuel also was affected by a November cyberattack, but a spokesperson for the sportsbook said, “We were not materially impacted by this attack.”
Law enforcement executed a search on Garrison’s home in February and found “programs typically used for credential stuffing attacks” and computer files containing nearly 40 million username and password pairs, according to the release. In addition, authorities located discussions about how to hack the website and extract funds from the alleged victims’ accounts on Garrison’s phone, including a message that stated, “fraud is fun . . . im addicted to see money in my account . . . im like obsessed with bypassing s—,” according to the release.
In December, DraftKings revealed in a data breach notification to the Maine Attorney General’s Office that 67,995 people were exposed in the November incident. The sportsbook had estimated that $300,000 worth of unauthorized funds were withdrawn in the attack.
Wisconsin man, 18, charged in cyberattack on sportsbook