Authorities may have gotten to the bottom of a cyber-attack against DraftKings in November, which resulted in the theft of about $600,000 from user accounts. Joseph Garrison, 18, of Wisconsin, surrendered to the FBI in New York City on May 18, 2023.
The United States Attorney’s Office of the Southern District of New York announced the arrest later the same day. The statement doesn’t specify the “fantasy sports and betting website” Garrison is accused of hacking. However, the details and timing of the alleged attack line up perfectly with what DraftKings experienced in November 2022, leaving little doubt.
Prosecutors allege that:
On or about November 18, 2022, GARRISON launched a “credential stuffing attack” on the Betting Website […] Using this method, GARRISON and others stole approximately $600,000 from approximately 1,600 Victim Accounts.
FanDuel, BetMGM and WSOP also suffered cyberattacks around the same time. However, the type of attack was different at BetMGM and WSOP, targeting a payment processor used by both sites. That may mean those attacks were unrelated and the timing coincidental. Conversely, the credential stuffing approach used on FanDuel matched that on DraftKings, though the company claims its security was more successful in repelling the attack.
Garrison will face multiple charges from the Office’s Complex Frauds and Cybercrime Unit. Some of these carry maximum penalties of 20 years in prison.
- Conspiracy to commit computer intrusions
- Unauthorized access to a protected computer & unauthorized access to a protected computer to further intended fraud
- Wire fraud & wire fraud conspiracy
- Aggravated identity theft
The charges have yet to be proven. However, prosecutors claim that authorities found incriminating messages along with the tools necessary to carry out a credential stuffing attack. One message reads in part:
fraud is fun . . . im addicted to see money in my account . . . im like obsessed with bypassing shit.
Credential-Stuffing and How to Protect Against It
Credential stuffing is a straightforward form of hacking that relies on users’ tendency to reuse logins between sites.
Hackers target a low-security website and steal the database of username/password combinations. They could then use these logins themselves or, more often, sell them to others on the dark web for use in such attacks.
The attackers then use automation techniques to try these logins on other websites, particularly those where they can benefit financially from access to users’ accounts.
The most straightforward way to keep yourself safe from credential stuffing is never to reuse passwords. Many people find that impractical, however.
If you’re not going to have unique passwords for every website, then at least keep in mind that a password is only as secure as the least secure website you use it for. So you should definitely never use the same password for your bank or online casino account as you do for, say, your local softball league.
Another good policy is to use two-factor authentication (2FA). This is now available at most online gambling sites and is a regulatory requirement in some states, including New Jersey and Pennsylvania. With 2FA turned on, just having your login info isn’t enough. Hackers wouldn’t be able to access your account without also stealing your phone.