18-year-old charged with hacking 60,000 DraftKings betting accounts
The Department of Justice revealed today that an 18-year-old man named Joseph Garrison from Wisconsin had been charged with hacking into the accounts of around 60,000 users of the DraftKings sports betting website in November 2022.
According to the complaint, the suspect used an extensive list of credentials from other breaches to hack into the accounts. He then sold the hijacked accounts, and the buyers stole approximately $600,000 from around 1,600 compromised accounts.
Garrison and his co-conspirators devised a method allowing buyers of the stolen accounts to withdraw all funds, instructing them to add a new payment method to the hacked accounts, deposit a nominal sum of $5 through the newly added payment method to verify its validity, and subsequently withdraw all existing funds from the victims’ accounts to a separate financial account under the attackers’ control.
In a February 2023 search of Garrison’s residence, law enforcement found tools commonly employed in credential-stuffing attacks (including OpenBullet and SilverBullet) which require custom “config” files for each targeted website.
Roughly 700 config files for dozens of corporate websites were found on the suspect’s computer, including 11 separate ones for the betting website attacked in November.
Moreover, the search also led to the discovery of at least 69 files (known as wordlists) containing roughly 38,484,088 username and password combinations, also used in credential stuffing attacks.
While analyzing Garrison’s phone, law enforcement agents found additional evidence implicating the defendant in the November 2022 credential attack against the betting platform, including discussions with co-conspirators regarding the hacking of the website.
In one such conversation, Garrison even expressed a belief that law enforcement would be unable to apprehend or prosecute him, stating, “fraud is fun . . . im addicted to see money in my account . . . im like obsessed with bypassing shit.”
The DraftKings credential attack
While the Department of Justice didn’t name the betting site targeted in the attack, BleepingComputer is aware of a scheme targeting both DraftKings [1, 2] and FanDuel in November 2022.
“The safety and security of our customers’ personal and payment information is of paramount importance to DraftKings. We worked with law enforcement in catching the alleged bad actor(s), and we want to thank the Department of Justice, including the FBI and U.S. Attorney, Southern District of New York, for their prompt and effective action,” DraftKings told BleepingComputer today in a statement.
“As we stated previously, bad actor(s) were able use login credentials obtained from a third-party source to gain access to certain user accounts. When the identified credential stuffing incident occurred in November 2022, DraftKings provided notice to customers in relevant jurisdictions and restored amounts for a limited number of users who may have had funds improperly withdrawn from their accounts.”
DraftKings first revealed on November 21 that up to $300,000 were stolen from accounts breached in a credential attack.
In November, after learning that substantially more than $300,000 was stolen, BleepingComputer contacted DraftKings and was told, “Your source is incorrect on both the dollar figure and the number of customers affected.”
One month later, the sports betting company said it refunded hundreds of thousands of dollars stolen after 67,995 customers had their accounts hacked in the incident (matching the number of accounts mentioned in the complaint and the DOJ press release).
During the same period in November, FanDuel customers reported account compromises after credential-stuffing attacks, with the hacked accounts being sold on cybercrime marketplaces for as little as $2.
Garrison is known to have run the “Goat Shop” website selling hacked DraftKings and FanDuel accounts after the two attacks.
“On the Garrison Phone, law enforcement located an undated picture showing that Goat Shop had sold 225,247 products for total sales revenue of $2,135,150.09,” the complaint says.
The same detailed instructions on how to empty breached DraftKings accounts were provided on another online shop that match the instructions seen on Garrison’s Goat Shop website in the complaint.
The co-conspirators were also tracking DraftKings’ incident response, and, at one point, they warned that all the breached accounts were now locked after the company reset the affected accounts’ passwords.
Following the November attack, DraftKings advised customers never to use the same password for multiple services, to turn on 2FA on their accounts immediately, and unlink their bank accounts or remove banking details to block fraudulent withdrawal requests.
Chick-fil-A also confirmed in March (following an investigation that started in January) that 71,473 customers had their accounts breached in a months-long “automated” credential stuffing attack between December 18th, 2022, and February 12th, 2023
The stolen accounts also ended up for sale on the Goat Shop website for up to $200, depending on the account balance, the linked payment method, or the amount of Chick-fil-A One rewards points.
As the FBI warned recently, credential stuffing attacks are increasing in volume and frequency due to readily available automated tools and easy-to-obtain aggregated lists of stolen credentials.
“As alleged, Garrison attained unauthorized access to victim accounts using a sophisticated cyber-breaching attack to steal hundreds of thousands of dollars,” said FBI Assistant Director in Charge Michael J. Driscoll today.
“Cyber intrusions aiming to steal private individuals’ funds represent a serious risk to our economic security. Combatting cyberattacks and holding the responsible threat actors accountable in the criminal justice system remains a top priority for the FBI.”
Update: Revised article after confirmation that DraftKings was indeed the target of the credential-stuffing attack. Added statement from DraftKings.