Cybercrime

US Teen Pleads Guilty to Credential Stuffing Attack on Fantasy Sports Website

Wisconsin teenager Joseph Garrison has admitted in court to launching a credential stuffing attack on a betting website.

Published

Wisconsin teenager Joseph Garrison has admitted in court to launching a credential stuffing attack on a betting website.

Wisconsin teenager Joseph Garrison has pleaded guilty to his involvement in a scheme to access user accounts at a fantasy sports and betting website.

According to court documents, on November 18, 2022, Garrison launched a credential stuffing attack against the betting site, obtaining access to approximately 60,000 user accounts.

The defendant and others then stole about $600,000 from approximately 1,600 victim accounts, by adding a new payment method to the accounts, depositing $5 to each account using the new payment method, and then withdrawing all victim funds.

Law enforcement searched Garrison’s home in February 2023 and discovered software typically used for credential stuffing attacks on his computer, along with approximately 700 config files for these applications.

Additionally, nearly 40 million usernames and passwords that could be used in credentials stuffing attacks were found on his computer.

While searching Garrison’s phone, the investigators said they discovered conversations about hacking the betting website and using the compromised accounts for profit, either by stealing funds or by selling the accounts to cybercriminals.

Garrison, 19, of Madison, Wisconsin, pleaded guilty to conspiracy to commit computer intrusion and faces up to five years in prison.

The US Department of Justice announced charges against Garrison on May 18. The teen surrendered on the same day, in New York, New York.

Advertisement. Scroll to continue reading.

The documents presented in court do not mention the targeted website, which appears to be DraftKings. In November 2022, the site announced that roughly 68,000 user accounts had been compromised in a credential stuffing attack.

Such attacks involve the use of usernames and passwords obtained from other data breaches to log into accounts that the same individuals have on other websites and which are protected using the same credential pairs.

Related: US Announces IPStorm Botnet Takedown and Its Creator’s Guilty Plea

Related: Twitter Celebrity Hacker Pleads Guilty in US

Related: Owner of Cybercrime Website BreachForums Pleads Guilty

In this article:, ,

Related Content

Okta Warns of Credential Stuffing Attacks U

Identity & Access

Okta Warns of Credential Stuffing Attacks Using Tor, Residential Proxies

Okta warned of a spike in credential stuffing attacks using anonymizing services such as Tor, DataImpulse, Luminati, and NSocks.

April 29, 2024

Cybercrime

DraftKings Hacker Sentenced to 18 Months in Prison

Joseph Garrison has received an 18-month prison sentence for accessing 60,000 DraftKings user accounts using credential stuffing.

February 2, 2024

Cybercrime

Two More Individuals Charged for DraftKings Hacking

Nathan Austad and Kamerin Stokes have been charged for hacking user accounts at fantasy sports and betting website DraftKings.

January 31, 2024

Application Security

PayPal Warns Users of Credential Stuffing Attacks

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

January 20, 2023

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version