A Wisconsin teenager has been charged with accessing tens of thousands of user accounts at a fantasy sports and betting website after launching a credential stuffing attack on the site.
According to a six-count criminal complaint (PDF), the teenager, Joseph Garrison, of Wisconsin, launched the attack on the betting website on November 18, 2022, accessing roughly 60,000 accounts without authorization.
In some cases, the defendant and others added a new payment method to the compromised accounts, deposited $5 using the new payment method, and then withdrew all the victims’ funds to financial accounts controlled by the attackers.
According to the complaint, the attackers used this method on roughly 1,600 victim accounts, stealing approximately $600,000.
The targeted betting website, which is not named in the complaint, appears to be DraftKings. In November 2022, the firm announced that the accounts of roughly 68,000 users were compromised in a credential stuffing attack.
During a search at Garrison’s house in February 2023, law enforcement found programs used for credential stuffing attacks, which require individualized “config” files for the victim websites.
On Garrison’s computer, law enforcement found roughly 700 config files for different corporate websites, along with files containing nearly 40 million username and password pairs.
On Garrison’s phone, the investigators found conversations with co-conspirators about hacking the betting website and extracting funds from the victim accounts or selling access to those accounts.
According to the complaint, in one conversation, Garrison said he was good at and enjoyed credential stuffing attacks, and that he believed he would not be caught or prosecuted.
Garrison surrendered himself on May 18 in New York, New York. He is charged with conspiracy to commit computer intrusions, unauthorized access to a computer, intended fraud, wire fraud conspiracy, wire fraud, and aggravated identity theft.
As part of a credential stuffing attack, threat actors use login credentials obtained from other data breaches to access accounts that the same individuals have on other websites, which are protected using the same usernames and passwords.
*updated to name DraftKings as the targeted website
Related: Over 71k Impacted by Credential Stuffing Attacks on Chick-fil-A Accounts
Related: PayPal Warns Users of Credential Stuffing Attacks
Related: FBI Warns of Proxies and Configurations Used in Credential Stuffing Attacks
