Damian Williams, the United States Attorney for the Southern District of New York, announced that JOSEPH GARRISON pled guilty today to conspiracy to commit computer intrusion in connection with a scheme to hack user accounts at a fantasy sports and betting website (the “Betting Website”) and sell access to those accounts in order to steal hundreds of thousands of dollars from them. GARRISON pled guilty before U.S. Magistrate Judge Robert W. Lehrburger and is scheduled to be sentenced by U.S. District Judge Lewis A. Kaplan on January 16, 2024.
U.S. Attorney Damian Williams said: “Joseph Garrison and his co-conspirators launched an online cyberattack, stealing approximately $600,000 from innocent victims’ accounts. Garrison now stands convicted of a federal crime for targeting the accounts of victims making legitimate online wagers.”
According to the charging documents and other filings and statements made in court:
On or about November 18, 2022, GARRISON launched a “credential stuffing attack” on the Betting Website. During a credential stuffing attack, a cyber threat actor collects stolen credentials or username and password pairs obtained from large-scale data breaches of companies that can be purchased on the dark web. The threat actor then systematically attempts to use those stolen credentials to obtain unauthorized access to accounts held by the same user with other companies and providers in order to compromise accounts where the user has maintained the same password. Here, in connection with the attack on the Betting Website, there was a series of attempts to log into the Betting Website accounts using a large list of stolen credentials.
GARRISON and others successfully accessed approximately 60,000 accounts at the Betting Website (the “Victim Accounts”) through the credential stuffing attack. In some instances, the individuals who unlawfully accessed the Victim Accounts were able to add a new payment method on the account, deposit $5 into that account through the new payment method to verify that method, and then withdraw all the existing funds in the Victim Account through the new payment method (i.e., to a newly added financial account belonging to the hacker), thus stealing the funds in the Victim Account. Using this method, GARRISON and others stole approximately $600,000 from approximately 1,600 Victim Accounts.
Law enforcement executed a search on GARRISON’s home in February 2023. In that search, they located programs typically used for credential stuffing attacks. Those programs require individualized “config” files for a target website to launch credential stuffing attacks, and law enforcement located approximately 700 such config files for dozens of different corporate websites on GARRISON’s computer. Law enforcement also located files containing nearly 40 million username and password pairs on GARRISON’s computer, which are also used in credential stuffing attacks.
On GARRISON’s cellphone, law enforcement also located conversations between GARRISON and his co-conspirators, which included discussions about how to hack the Betting Website and how to profit from the hack of the Betting Website by extracting funds from the Victim Accounts directly or by selling access to the Victim Accounts. In one particular conversation, GARRISON discussed, in substance and in part, how successful he was at credential stuffing attacks, how much he enjoyed credential stuffing attacks, and how GARRISON believed that law enforcement would not catch or prosecute him. Specifically, GARRISON messaged the following, in substance and in part: “fraud is fun . . . im addicted to see money in my account . . . im like obsessed with bypassing shit.”
* * *
GARRISON, 19, of Madison, Wisconsin, pled guilty to one count of conspiring to commit computer intrusion, which carries a maximum sentence of five years in prison.
The maximum potential sentence is prescribed by Congress and is provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge.
Mr. Williams praised the outstanding work of the Federal Bureau of Investigation.
The case is being prosecuted by the Office’s Complex Frauds and Cybercrime Unit. Assistant U.S. Attorneys Kevin Mead and Micah Fergenson are in charge of the prosecution.