Connect with us

Hi, what are you looking for?



DraftKings Hacker Sentenced to 18 Months in Prison

Joseph Garrison has received an 18-month prison sentence for accessing 60,000 DraftKings user accounts using credential stuffing.

A Wisconsin man has been sentenced to 18 months in prison for his role in a credential stuffing attack targeting user accounts at a fantasy sports and betting website.

According to court documents, in November 2022, the man, Joseph Garrison, 19, used username and password pairs from other data breaches to access approximately 60,000 user accounts at the target site that were using the same passwords.

Although not named in the documents presented in court, DraftKings, which in November 2022 reported falling victim to a credential stuffing attack, appears to be the target website. 

In some instances, Garrison and his co-conspirators withdrew funds from the compromised accounts by adding a new payment method to them. In total, the attackers stole roughly $600,000 from approximately 1,600 accounts.

Garrison was charged in May 2023 and surrendered himself the same day he was indicted. He pleaded guilty in November 2023.

Prior to his arrest, law enforcement searched Garrison’s house and found software typically used for credential stuffing on his computer. Additionally, 700 individual config files used by the credential stuffing programs and 40 million username and password pairs were found.

On Garrison’s phone, investigators found conversations about the attack and about how to monetize it by stealing funds and selling access to the compromised accounts.

In addition to prison time, Garrison was sentenced to three years of supervised release and ordered to pay over $175,000 in forfeiture and more than $1.3 million in restitution.

Advertisement. Scroll to continue reading.

On January 29, the US Department of Justice announced charges against two other individuals involved in the scheme, namely Nathan Austad, 19, of Farmington, Minnesota, and Kamerin Stokes, 21, of Memphis, Tennessee. Both were arrested.

Related: Man Sentenced to Prison for Stealing Millions in Cryptocurrency via SIM Swapping

Related: Canadian Man Sentenced to Prison for Ransomware Attacks

Related: Russian TrickBot Malware Developer Sentenced to Prison in US

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.