According to today’s DOJ announcement, a Wisconsin man named Joseph Garrison, 18, has been accused of breaking into the accounts of about 60,000 customers of the DraftKings accounts for the sports betting website in November 2022.
The complaint states that the suspect hacked into the accounts by using stolen credentials from multiple earlier breaches. He eventually sold the compromised accounts to criminals who stole $600,000 from 1,600 of them.
By adding a new payment method to the compromised accounts, depositing a small amount (in this case, $5) to verify its validity, and then withdrawing all existing funds, Garrison and his co-conspirators devised a method that would allow buyers of the stolen accounts to withdraw all funds.
OpenBullet and SilverBullet, both of which are used in credential-stuffing assaults and require unique “config” files for each target website, were discovered in search of Garrison’s home by law enforcement in February 2023.
The suspect’s computer had over 700 configuration files for dozens of corporate websites, including 11 for the betting website that was targeted in November.
In addition, the search turned up a minimum of 69 files (termed “wordlists”) holding a total of around 38,484,088 possible combinations of user name and password that can be exploited in credential stuffing attacks.
Additional evidence incriminating Garrison in the November 2022 credential attempt on the betting platform was uncovered by law police while analyzing Garrison’s phone, including conversations with co-conspirators about hacking the website. As Garrison put it in one of these conversations, “fraud is fun… im addicted to see money in my account.. im like obsessed with bypassing shit.”
It reports that a source close to DraftKings has confirmed that the company was indeed the target of the credential-stuffing hack detailed in today’s DOJ news release. On November 21, DraftKings first reported that a credential hack had compromised customer accounts to the tune of $300,000.
When BleepingComputer contacted DraftKings in November to inquire about the theft, we were told, “Your source is incorrect on both the dollar figure and the number of customers affected.”
In a press release issued a month after the attack, the sports betting company claimed it had repaid hundreds of thousands of dollars to the 67,995 users whose accounts had been compromised.
In the same week in November, users reported that their FanDuel accounts had been compromised due to a credential-stuffing attack, with the compromised accounts being sold for as little as $2 on underground markets.
After the hacks on DraftKings accounts and FanDuel, Garrison is said to have operated a website called “Goat Shop” where compromised accounts were sold. The lawsuit alleges that law officials found an undated photo on the Garrison Phone showing Goat Shop sold 225,247 goods for $2,135,150.09.
The complaint states that in addition to the instructions discovered on the Garrison’s Goat Shop website, identical instructions on how to empty compromised DraftKings accounts were also seen on another online shop.
Co-conspirators monitored DraftKings’ issue response as well and, at a time, warned that all compromised accounts were locked after the firm reset passwords.
After the hack in November, DraftKings urged users to change their passwords, enable two-factor authentication (2FA), and disconnect their bank accounts or delete their banking information to prevent fraudulent withdrawal requests.
Also, in March (after an investigation that began in January) Chick-fil-A stated that the accounts of 71,473 consumers were compromised after a months-long “automated” credential stuffing attack that occurred between December 18th, 2022 and February 12th, 2023.
Depending on the amount of Chick-fil-A One rewards points or the balance of the compromised account, the stolen accounts ended up being sold on the Goat Shop website for as much as $200.
The FBI has issued a warning that credential-stuffing assaults are on the rise due to the use of automated tools and the availability of compiled lists of stolen credentials.
According to allegations made by the FBI, Garrison used a sophisticated cyber-breach attack to gain unauthorized access to victim accounts and steal hundreds of thousands of dollars.
Attempts to hack into personal accounts represent a serious threat to the financial security of nations. The FBI continues to place a premium on tracking down and prosecuting those responsible for cyberattacks.
Conclusion
The individual behind DraftKings Sportsbook’s November credential stuffing scheme has been identified by federal prosecutors. Joseph Garrison, an 18-year-old from Wisconsin, was charged with six counts of fraud that affected over 60,000 DraftKings customers and included over $600,000. Garrison might serve 20 years. Thursday afternoon is his court date. Garrison allegedly used credential stuffing to hack into tens of thousands of victims’ accounts and steal hundreds of thousands of dollars. “Today, thanks to my Office and the FBI, Garrison learned that you shouldn’t bet on getting away with fraud,” stated US Attorney Damian Williams. In February, law enforcement searched Garrison’s residence and the evidence-filled computers and cell phones that were seized from their OpenBullet and SilverBullet to run thousands of illegally obtained logins through online sportsbooks and gambling sites like DraftKings.
Garrison would deposit $5, verify the payment method, and then withdraw the account balance to that method. He withdrew money from 1,500 accounts. The complaint featured text exchanges between Garrison and his co-conspirators that detailed how to defeat two-factor authentication. Garrison acknowledged to fraud scams in those discussions. He added, “fraud is fun” and “I’m addicted to see money in my account” before considering opening a fraud shop. In June, Garrison told authorities he ran “Goat Shop,” a website that sold hijacked accounts. He made nearly $800,000 from the venture between 2018-2021, earning $15,000 a day. Garrison used a sophisticated cyber-breaching effort to steal hundreds of thousands of dollars from victim accounts. Cyberattacks to steal private funds threaten our economy. According to FBI Assistant Director in Charge Michael J. Driscoll, the FBI prioritizes fighting cyberattacks and holding threat actors accountable in the criminal justice system.
