A Wisconsin man has been sentenced to 18 months in prison for his role in a credential stuffing attack targeting user accounts at a fantasy sports and betting website.
According to court documents, in November 2022, the man, Joseph Garrison, 19, used username and password pairs from other data breaches to access approximately 60,000 user accounts at the target site that were using the same passwords.
Although not named in the documents presented in court, DraftKings, which in November 2022 reported falling victim to a credential stuffing attack, appears to be the target website.
In some instances, Garrison and his co-conspirators withdrew funds from the compromised accounts by adding a new payment method to them. In total, the attackers stole roughly $600,000 from approximately 1,600 accounts.
Garrison was charged in May 2023 and surrendered himself the same day he was indicted. He pleaded guilty in November 2023.
Prior to his arrest, law enforcement searched Garrison’s house and found software typically used for credential stuffing on his computer. Additionally, 700 individual config files used by the credential stuffing programs and 40 million username and password pairs were found.
On Garrison’s phone, investigators found conversations about the attack and about how to monetize it by stealing funds and selling access to the compromised accounts.
In addition to prison time, Garrison was sentenced to three years of supervised release and ordered to pay over $175,000 in forfeiture and more than $1.3 million in restitution.
On January 29, the US Department of Justice announced charges against two other individuals involved in the scheme, namely Nathan Austad, 19, of Farmington, Minnesota, and Kamerin Stokes, 21, of Memphis, Tennessee. Both were arrested.
Related: Man Sentenced to Prison for Stealing Millions in Cryptocurrency via SIM Swapping
Related: Canadian Man Sentenced to Prison for Ransomware Attacks
Related: Russian TrickBot Malware Developer Sentenced to Prison in US