Wisconsin teenager Joseph Garrison has pleaded guilty to his involvement in a scheme to access user accounts at a fantasy sports and betting website.
According to court documents, on November 18, 2022, Garrison launched a credential stuffing attack against the betting site, obtaining access to approximately 60,000 user accounts.
The defendant and others then stole about $600,000 from approximately 1,600 victim accounts, by adding a new payment method to the accounts, depositing $5 to each account using the new payment method, and then withdrawing all victim funds.
Law enforcement searched Garrison’s home in February 2023 and discovered software typically used for credential stuffing attacks on his computer, along with approximately 700 config files for these applications.
Additionally, nearly 40 million usernames and passwords that could be used in credentials stuffing attacks were found on his computer.
While searching Garrison’s phone, the investigators said they discovered conversations about hacking the betting website and using the compromised accounts for profit, either by stealing funds or by selling the accounts to cybercriminals.
Garrison, 19, of Madison, Wisconsin, pleaded guilty to conspiracy to commit computer intrusion and faces up to five years in prison.
The US Department of Justice announced charges against Garrison on May 18. The teen surrendered on the same day, in New York, New York.
The documents presented in court do not mention the targeted website, which appears to be DraftKings. In November 2022, the site announced that roughly 68,000 user accounts had been compromised in a credential stuffing attack.
Such attacks involve the use of usernames and passwords obtained from other data breaches to log into accounts that the same individuals have on other websites and which are protected using the same credential pairs.