Victims of a November 2022 DraftKings cyberattack may have gotten justice on Nov. 15. That’s when the US Attorney’s Office, Southern District of New York, announced Joseph Garrison pleaded guilty to “conspiracy to commit computer intrusion.” The case matches the timing and description of the DraftKings cyberattack.
The charge against Garrison, 19, carries a penalty of up to five years in prison. However, US District Judge Lewis A. Kaplan will decide on his sentence on Jan. 16.
Kaplan will be presented with the facts in yesterday’s announcement.
It says that beginning on Nov. 18, 2022, the Madison, Wis. resident allegedly stole $600,000 from about 1,600 accounts on “a fantasy sports and betting website.”
That’s when DraftKings (DraftKings 38,30 -1,16%), a “daily fantasy sports and sportsbook” app, experienced the same account losses in the same manner of hacking.
Garrison allegedly used this method, according to yesterday’s announcement:
GARRISON and others successfully accessed approximately 60,000 accounts at the Betting Website (the “Victim Accounts”) through the credential stuffing attack. In some instances, the individuals who unlawfully accessed the Victim Accounts were able to add a new payment method on the account, deposit $5 into that account through the new payment method to verify that method, and then withdraw all the existing funds in the Victim Account through the new payment method (i.e., to a newly added financial account belonging to the hacker), thus stealing the funds in the Victim Account. Using this method, GARRISON and others stole approximately $600,000 from approximately 1,600 Victim Accounts.
Damian Williams, the US Attorney for the Southern District of New York, said yesterday that Garrison didn’t commit the crime alone:
Joseph Garrison and his co-conspirators launched an online cyberattack, stealing approximately $600,000 from innocent victims’ accounts. Garrison now stands convicted of a federal crime for targeting the accounts of victims making legitimate online wagers.
DraftKings Cyberattack Caught in Time?
Yesterday’s announcement revealed that when members of law enforcement searched Garrison’s home in February, they found 40 million “username and password pairs.”
Those are credentials that the US Attorney’s Office notes can be used in attacks similar to the one that had already occurred. The announcement called those cyberattacks “credential stuffing attacks.”
Law enforcement also found messages on Garrison’s phone with his “co-conspirators.”
The announcement quoted one of Garrison’s messages:
Fraud is fun .. im addicted to see money in my account … im like obsessed with bypassing shit.