Suspect Arrested in DraftKings HACK Case: $600,000 Stolen
Joseph Garrison, 18, of Madison, Wisconsin, turned himself in to authorities in connection with hacking activity that authorities say led to $600,000 stolen from DraftKings customers. IN press release on Thursday, May 18, 2023, the United States Attorney’s Office for the Southern District of New York explained how the scheme allegedly worked and what charges Garrison faces.
How were the accounts hacked?
According to the FBI, Garrison started a credential stuffing attack against DraftKings in November 2022. In this type of attack, a malicious player obtains username and password information from compromised systems and then attempts to use that information to gain access to other accounts. This type of attack works because many people recklessly use the same credentials for multiple accounts.
In that case, law enforcement says the defendant was able to obtain nearly 40 million pairs of usernames and passwords obtained from data breaches at other companies. Garrison and others then attempted to enter those credentials into DraftKings using automated software and were able to gain access to 60,000 accounts. Instead of trying to steal directly from these DraftKings customers, Garrison sold the compromised account information to others and provided instructions on how to remove funds from them.
How was money stolen from accounts?
To withdraw money from the hacked accounts, the offenders first had to set up two-factor authentication with DraftKings using their own phone numbers. Then they added their own payment method and deposited $5. Once the deposit went through, that payment channel became available for withdrawals and was then used to withdraw the entire account balance.
Garrison provided explicit instructions on how to steal funds from DraftKings accountsThe FBI says about 1,600 customer accounts were attacked this way and about $600,000 was stolen from them.
Joseph Garrison sold account credentials to rival betting site FanDuel, according to court documents. However, it does not appear that FanDuel customers were negatively affected.
The charges against Mr. Garrison
Joseph Garrison faces six separate charges. They are:
- Conspiracy to commit computer hacking carries a maximum sentence of five years
- Unauthorized access to a secure computer in furtherance of premeditated fraud with a maximum sentence of five years
- Unauthorized access to a secure computer with a maximum sentence of five years
- Wire fraud carries a maximum sentence of 20 years
- Aggravated identity theft with a mandatory minimum sentence of two years
After a May 18 court appearance, Garrison was released on $100,000 bail. The case is being prosecuted by the United States Attorney’s Office for the Southern District of New York’s Sophisticated Fraud and Cyber Crimes Unit. Authorities did not specifically say why the case was filed in the Southern District of New York, but it is perhaps relevant that 30 of the compromised accounts belonged to users located in that area.
About DraftKings
DraftKings was founded in 2012 as a daily fantasy sports company headquartered in Boston, Massachusetts. After years of steady growth as a DFS provider, it added traditional sports betting to its lineup in August 2018 following the Supreme Court’s landmark Murphy decision.
DFS website and sports betting provider DraftKingsDraftKings now offers sports betting in 21 states along with DFS in 45 states. In addition, the company provides online casino services in five states. The company trades on the NASDAQ under the ticker symbol “DKNG”.
How was Garrison caught?
In November 2022, DraftKings warned law enforcement that valid user account information was being traded on illegal websites. An undercover agent was able to purchase account credentials from one of these websites and confirmed with DraftKings that the email addresses sold corresponded to active betting accounts.
After purchasing the stolen account information, the undercover officer receives images containing instructions to access the funds in the account. Law enforcement was able to obtain the IP addresses from which the images were uploaded to image hosting sites and were then able to link one of the IP addresses to the house where Joseph Garrison lives with his parents.
On February 23, 2023, police officers raided the garrison house after obtaining a search warrant. They found dozens of files on a computer containing nearly 40 million pairs of usernames and passwords. They also identified software that is often used in credential stuffing attacks. They also found on the computer original images illustrating how money was stolen from betting accounts.
On Garrison’s phone, they found discussions about how to carry out hacking attacks, including details such as bypassing CAPTCHA checks, chats selling account information and the balances of some of the accounts.
They also found messages in which Garrison appeared to brag about the criminal scheme, such as the following:
back to crack
i get sites that number 1 has had forever and shit
I have skipped every captcha
cheating is fun
i’m addicted to seeing money in my account
…
idk i’m kind of obsessed with bypassing the crap
Garrison’s sordid past
This is not the first time Joseph Garrison has had a run-in with the law. During an interview with police in June 2022, he claimed to have made about $800,000 from selling hacked accounts on a website called “Goat Shop.”
Then in August 2022, Garrison was arrested for making terroristic threats. He allegedly made threatening calls to Vel Phillips Memorial High School in Madison, Wisconsin, as well as several schools in Texas and Pennsylvania. Police said he admitted to paying others to make threatening calls.
Comments on the case
FBI Assistant Director Michael J. Driscoll says the following:
Garrison allegedly gained unauthorized access to victims’ accounts using a sophisticated hacking attack to steal hundreds of thousands of dollars. Cyber intrusions to steal private funds pose a serious risk to our economic security. Combating cyberattacks and holding responsible threats to the criminal justice system accountable remains a top priority for the FBI.
DraftKings stated:
The safety and security of our customers’ personal and payment information is of the utmost importance to DraftKings. We worked with law enforcement to apprehend the alleged bad actor(s) and want to thank the Department of Justice, including the FBI and the US Attorney, Southern District of New York, for their swift and effective actions.
According to DraftKings, the company has refunded the balances of users who were affected by the breach.
Defense against cyber attacks
There are a number of steps users can take to avoid security breaches like the one that occurred at DraftKings. Perhaps the most obvious is to not reuse the same password for multiple accounts.
Another measure you can take is to turn on two-factor authentication, which will send a code to your phone when someone tries to log into your account. This code will need to be entered within a certain time period to enter. Since they won’t have this code, hackers won’t be able to easily access your account even if they somehow manage to obtain your username and password.
Perhaps one of the reasons why so many users ignored these simple security measures is because they believed in the fact that DraftKings is a state-licensed organization. After all, increased user security is often touted as an advantage of betting sites that are fully regulated by government authorities, unlike offshore sites.
However, we have seen that “regulated” does not always mean “safer”. In the same month that Joseph Garrison allegedly began his fraudulent dealings with DraftKings accounts, we reported on an unrelated scam in which money was secretly taken from the accounts of online poker players. In this case, too, the affected sites were licensed and regulated by the state.
Meanwhile, we haven’t seen any stories of such happenings on offshore betting sites recently. Perhaps because most of them have been in business for a decade or more, they have more experience in countering this type of threat. Or maybe because their payment methods aren’t tightly integrated with traditional banking systems, they’re not as lucrative a target for would-be thieves. Whatever the reasons, international gaming sites are often safer from hackers and other miscreants than local sites.
Safe bets possible no matter what state you live in
If you’re in a state that DraftKings doesn’t yet accept customers from, or you’re looking for an alternative to the limited offerings at state-licensed bookies, then you have plenty of offshore options. To learn more about them, check out this list of the best online sportsbooks for Americans.
When it comes to poker, you have legal places to play even if your state has not yet legalized online poker. Take a look at this guide to US internet poker for additional information on the sites available to you and their individual strengths and weaknesses.