DraftKings hacker pleads guilty to credential stuffing

Gavel and letter tiles spelling guilty
Image: Shutterstock

One year after committing the crime and five months after being formally charged, the hacker responsible for withdrawing $600,000 across 1,600 DraftKings accounts through credential stuffing has pleaded guilty.

Eighteen-year-old Joseph Garrison of Wisconsin pled to one count of conspiring to commit computer intrusion. The charge carries a maximum sentence of five years. When Garrison was arrested in May, the charges against him could have resulted in 20 years in prison.

“Joseph Garrison and his co-conspirators launched an online cyberattack, stealing approximately $600,000 from innocent victims’ accounts.  Garrison now stands convicted of a federal crime for targeting the accounts of victims making legitimate online wagers,” said US Attorney Damian Williams.

Amidst the evidence discovered by the FBI was communication between Garrison and co-conspirators in which he proclaimed, “fraud is fun.”

Garrison accessed customer accounts by filling in stolen login credentials. Once he got into an account, he would add a new payment method, deposit $5, and then withdraw the entire balance of the account to that payment method. While he only managed to withdraw money from 1,600 accounts, authorities found credentials for more than 40 million usernames.

While Garrison’s legal issues regarding the credential stuffing are settled, he still faces state charges in another, unrelated matter. He is set to go to trial in a Wisconsin state court case regarding fake bomb threats he allegedly phoned into a local high school.

In the meantime, Garrison will appear in court for sentencing on Jan. 16 of next year.