Wisconsin Teen Charged with Major Sports Betting Platform Hack
A young man from Wisconsin has found himself facing serious legal consequences after hacking numerous online betting accounts.
Joseph Garrison, 18, has been charged by the Department of Justice (DoJ) with gaining unlawful access to approximately 60,000 accounts on DraftKings, a popular sports betting platform.
According to the complaint, the illicit operation occurred in November 2022, with Garrison allegedly using a database of leaked credentials from unrelated breaches to access these accounts.
In February, authorities raided Garrison’s residence, revealing tools commonly used in credential-stuffing attacks, such as SilverBullet and OpenBullet. These tools require custom configuration files to carry on attacks; police allegedly found roughly 700 such configuration files on the suspect’s computer, including 11 tailored for the DraftKings attack.
Garrison is accused of selling the compromised accounts to buyers who, according to the DOJ, extracted around $600,000 from nearly 1,600 of these accounts.
In a cunning and coordinated scheme, the funds were extracted using a specific method: buyers added new payment details to the hacked accounts, then deposited $5.This small fee acted as a verification step to confirm the validity of the newly added payment method.
Once the verification went through, the infiltrators drained the accounts. According to the Justice Department, this egregious breach left many DraftKings users financially out of pocket.
“On GARRISON’s cellphone, law enforcement also located conversations between GARRISON and his co-conspirators, which included discussions about how to hack the Betting Website and how to profit from the hack of the Betting Website by extracting funds from the Victim Accounts directly or by selling access to the Victim Accounts,” said the DoJ in a press release. “In one particular conversation, GARRISON discussed, in substance and in part, how successful he was at credential stuffing attacks, how much he enjoyed credential stuffing attacks, and how GARRISON believed that law enforcement would not catch or prosecute him.”
Garrison is charged with conspiracy to commit computer intrusions, unauthorized access to a protected computer, wire fraud conspiracy, and aggravated identity theft, among others. If convicted, the suspect could face up to 20 years in jail.
Although the DoJ never named the betting platform targeted, several sources, including BleepingComputer, have said DraftKings suffered a matching security incident in November 2022.
In credential stuffing attacks, criminals use credentials stolen in previous data breaches to log in to other accounts owned by the same user. Credential stuffing only works when the victims use the same password on multiple platforms, a practice known as password recycling.
To stay safe against credential stuffing attacks, users should follow these mitigation practices:
- Enable multi-factor authentication (MFA)
- Avoid using the same password for multiple accounts
- Change your password regularly, if possible
- Use dedicated tools such as Bitdefender Password Manager to create strong, unique passwords
Specialized software such as Bitdefender Digital Identity Protection can protect your identity against data breaches, constantly monitoring if your accounts are exposed. Key features include:
- Comprehensive dashboard where you can see your digital footprint, including traces from no-longer-used services
- Monitoring module that continuously scans the public and Dark Web for traces of your data, notifying you immediately upon detecting a match
- Intuitive, 1-click action items to instantly patch leaks and fix weak points in your digital footprint