US Attorney’s Office charges 18 year old in DraftKings credential stuffing case

Handcuffs and paperwork with fingerprints
Image: Shutterstock

Federal prosecutors believe they have discovered the man responsible for a widespread credential stuffing scam at DraftKings Sportsbook this past November. The US Attorney’s Office Southern District of New York pressed charges against Joseph Garrison, an 18-year-old from Wisconsin, with six counts related to fraud that impacted over 60,000 DraftKings customers and involved over $600,000.

Garrison faces upwards of 20 years in prison. He is scheduled to appear in court Thursday afternoon.

“As alleged, Garrison used a credential stuffing attack to hack into the accounts of tens of thousands of victims and steal hundreds of thousands of dollars.  Today, thanks to the work of my Office and the FBI, Garrison learned that you shouldn’t bet on getting away with fraud,” said US Attorney Damian Williams in a statement.

Law enforcement searched Garrison’s home in February and confiscated computers and cell phones with evidence that he used illegally obtained logins for thousands of accounts and used the programs OpenBullet and SilverBullet to run those credentials through online sportsbooks and gambling sites like DraftKings.

Once inside an account, Garrison would establish a new payment method by depositing $5, get that method verified, and then withdraw the balance on the account back to that method. He was able to successfully withdraw money from roughly 1,500 accounts.

The complaint included text exchanges between Garrison and his co-conspirators that included specific instructions on how to bypass two-factor authentication. In those conversations, Garrison also admitted to previous fraud scams. He also said things like “fraud is fun” and “I’m addicted to see money in my account” before saying he is considering starting his own shop for fraud.

Authorities interviewed Garrison in June and learned that he had previous run a website called “Goat Shop” which sold hacked accounts. From 2018-2021 he earned roughly $15,000 a day from the venture, pocketing over $800,000 overall.

“As alleged, Garrison attained unauthorized access to victim accounts using a sophisticated cyber-breaching attack to steal hundreds of thousands of dollars.  Cyber intrusions aiming to steal private individuals’ funds represent a serious risk to our economic security.  Combatting cyberattacks and holding the responsible threat actors accountable in the criminal justice system remains a top priority for the FBI,” said FBI Assistant Director in Charge Michael J Driscoll.

The Complex Frauds and Cybercrime Unit will prosecute the case with Assistant US Attorneys Kevin Mead and Micah Ferguson leading the charge.

“The safety and security of our customers’ personal and payment information is of paramount importance to DraftKings. We worked with law enforcement in catching the alleged bad actor(s), and we want to thank the Department of Justice, including the FBI and U.S. Attorney, Southern District of New York, for their prompt and effective action. As we stated previously, bad actor(s) were able use login credentials obtained from a third-party source to gain access to certain user accounts. When the identified credential stuffing incident occurred in November 2022, DraftKings provided notice to customers in relevant jurisdictions and restored amounts for a limited number of users who may have had funds improperly withdrawn from their accounts,” a DraftKings spokesperson told SBC Americas.

“Today’s news reinforces the importance for law enforcement at all levels to hold fraudsters and other criminals accountable,” said American Gaming Association Senior Vice President of Government Relations Chris Cylke.