A Wisconsin man has been charged in connection with a sophisticated scheme to illegally gain access to hundreds of unauthorized customer s at a sports betting website in late 2022, federal prosecutors announced Thursday.
The U.S. Attorney’s Office of the Southern District of New York announced the unsealing of a six-count indictment against Joseph Garrison, a resident of Madison, Wisconsin. Garrison, 18, and several others allegedly accessed roughly 60,000 s at the website through a technique known as “credential stuffing.”
The technique typically involves a hacker utilizing log-in credentials from a third-party site to gain access to a ’s at a highly secure website. A hacker can gain unauthorized access into an by obtaining a ’s from a local bank or gym, for example, then using the same log-in credentials at a major e-commerce site, or in this case an online sports betting .
18-Year-Old Hacker Charged Over Theft Of 60,000 DraftKings s https://t.co/dMxHI995rY
— AwesomeAlways (@adelovelyspice) May 18, 2023
Garrison, according to the U.S. Attorney’s Office, launched a credential stuffing attack on Nov. 18, 2022. Three days later, DraftKings identified a pattern of irregular activity on customer s. At the time, the company noted that less than $300,000 of customer funds were impacted by the takeovers.
While prosecutors did not name the sports betting and daily fantasy website impacted in the breach, DraftKings was targeted in the attack, BetMGM — all reported an uptick in cybersecurity disruptions at the end of 2022.
All told, Garrison and others stole approximately $600,000 from about 1,600 victim s, according to the indictment.
“As alleged, Garrison used a credential stuffing attack to hack into the s of tens of thousands of victims and steal hundreds of thousands of dollars,” said Damian Williams, U.S. Attorney for the Southern District of New York, in a statement. “Thanks to the work of my Office and the FBI, Garrison learned that you shouldn’t bet on getting away with fraud.”
A DraftKings spokesman did not respond to a request from Sports Handle for comment. When reached by Sports Handle, a FanDuel spokesman declined comment.
Aggressive pursuit by law enforcement 5j2dk
During a credential stuffing attack, a cyber threat actor collects stolen credentials, or name and pairs, obtained from other large-scale data breaches of other companies, which can be purchased on the so-called “dark web.” According to an affidavit presented by an FBI special agent, Garrison sold access to the victim s through websites on the dark web that marketed and sold illegal credentials. In some cases, the individuals who accessed the stolen s added a new payment method to the , then deposited only $5 to the new method.
From there, the criminal actors were able to withdraw the existing funds from a victim’s through the new payment method, a new fraudulent belonging to a hacker. In one notable case, a DraftKings customer in Kansas City had most of the $19,439 in funds from his DraftKings cleared out as the Kansas City Chiefs faced the Los Angeles Chargers on Sunday Night Football. The customer had the funds returned approximately 40 minutes later, according to Yahoo Finance.
Given today's update by @jgolden5 … here is the story as it was described back in November 2022…
DraftKings says no evidence systems were breached following report of a hackhttps://t.co/obYg2nUVlZ
— Alfonso Straffon 🇨🇷🇺🇸🇲🇽 (@astraffon) May 18, 2023
At some point last November, the betting website informed law enforcement officials that representatives from the site purchased stolen credentials to investigate the hack. As part of the purchase, representatives from the site received instructions on how to steal money from the intercepted victim s, according to the criminal complaint.
The website later cross-referenced the status of an intercepted on its own system and observed that funds had been withdrawn from the on or about Nov. 18, 2022, in a “manner consistent with the hacking instructions.” In addition, representatives from the site observed that a particular IP address was used to access the around the same time.
By January, an undercover agent assigned to the case swung into action.
Defendant: ‘Fraud is fun’ 6b2x1e
On Jan. 9, Georgia won its second straight national title in college football, thrashing TCU 65-7 in the championship game. On or around that day, the undercover agent purchased names and s for two victim s at a cost of $11 total. Upon the purchase, the agent received instructions on how the credential pairs could be used to steal money from s of the unsuspecting victims. The credentials were transmitted and ed by the agent from an office in New York.
By late February, law enforcement officials executed a search of Garrison’s computer, cellphone, and other items inside his family’s Wisconsin residence. During the investigation, officials detected two programs on the computer: OpenBullet and SilverBullet, software that is used to execute credential stuffing attacks.
Officials also discovered 11 so-called “config files” from a betting website, files that are needed for a website to launch a credential stuffing excursion. In total, law enforcement officials detected about 700 separate configs for potential attacks against dozens of other company websites, according to the indictment. Through the search, law enforcement located at least 69 wordlists containing more than 38.4 million name and combinations.
There is a high chance this arrest (of an 18-year-old!) is connected to the DraftKings breaches in November 2022.
It is probably NOT related to the BetMGM fake s in Oct/Nov, as that was not credential stuffing, and it was based out of San Diego, not Wisconsin. https://t.co/OHxXhK9A1M
— Todd Witteles (@ToddWitteles) May 18, 2023
Josh Chin, managing partner of Net Force, a member of the Cyber Task Force Security, indicated that it is a positive development any time the Justice Department can “bring an indictment forward” in a high-profile hacking case. The result may have been different, he emphasized, if the defendants were part of a transnational hacking syndicate located outside of the U.S.
“There are always different factors and variables. We should applaud anytime the FBI can nail one of these guys,” Chin told Sports Handle. “It should be celebrated, especially when you think about how global our world is.”
Over the course of the investigation, law enforcement also intercepted conversations between Garrison and a co-conspirator in September 2022, weeks before the intrusion of the betting site. At one point, Garrison told a co-conspirator that he hacked into sites that no one else breached and declared, “Fraud is fun.”
Moments later, he bragged, “I’m addicted to see[ing] money in my ,” adding that he was “obsessed with bying sh**.” The conspirator cautioned Garrison to cool it down because he was “already under enough heat,” plus he’d made “six figures” in a single afternoon.
Response from state regulators 2f2q5g
Over the last year, several states with legal sports betting have ed enhanced standards on multi-factor authentication (2FA). The new regulations on 2FA provide an extra layer of protection, as customers are required to their identity through email or SMS text before gaining access to their . In the wake of the cyber breaches, the Nevada Gaming Commission adopted a set of regulations that created new cybersecurity requirements for certain online gambling operators.
The risks posed to the security of customer s became a hot topic at last December’s National Council Of Legislators From Gaming States (NCLGS) Winter Meeting in Las Vegas.
“We’re going to have high standards to ensure that consumers’ privacy will be protected,” said Indiana state Sen. Jon Ford in an interview with Sports Handle. “If places don’t do it, they could lose their license.” Ford serves as the president of NCLGS.
State legislators and regulators are brainstorming ways to curb cyber attacks in the wake of last month's breach. @MattRybaltowski explores:
– A look at 'credential stuffing '
– The approach for new states
– Outrunning the regulators #sportsbettinghttps://t.co/Fw5NM7zrpY— Sports Handle (@sports_handle) December 15, 2022
While sportsbooks can mitigate risks of a cyber breach with enhanced protections, quite often the onus falls on the customers themselves, according to cybersecurity experts. Bettors can help themselves by maintaining “proper cyber hygiene” in using sports wagering s that differ from those they use for less secure local sites. Gamblers on leading sports wagering sites are also instructed to change their s often.
Chin described the incident as “a canary in a coal mine,” signaling potential danger if changes are not made soon enough.
“It should be a huge wake-up call for everyone, in sports betting and anything else that’s out there,” he told Sports Handle. “Whether it’s crypto s or Amazon, it should be a continuous wake-up call.
“It’s easy to get desensitized to these incidents. We shouldn’t.”
The alleged hacker, Joseph Garrison, pulled off the scheme using stolen s from other data breaches. 'Fraud is fun,' he texted an associate last year. https://t.co/jY50os8rUR
— PCMag (@PCMag) May 19, 2023
After Garrison made an appearance Thursday in Manhattan federal court, he was released on a $100,000 bond, according to court records obtained by Heavy.com.
Garrison is also facing charges in Wisconsin in connection with calling in bomb threats and making terrorist threats to schools in the Madison area last year, court records show. The teenager pleaded not guilty in the case.
The six charges in the hacking case carry imprisonment of anywhere from five to 20 years per charge. If Garrison is convicted of wire fraud, he will face a maximum sentence of 20 years in prison on that charge.
