Teen charged with hacking DraftKings, said ‘fraud is fun’ | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

In this photo illustration, the American daily fantasy sports contest and sports betting company DraftKings logo is displayed on a smartphone screen.

Budrul Chukrut | Lightrocket | Getty Images

Federal prosecutors on Thursday announced criminal charges against an 18-year-old Wisconsin man for a scheme to hack and sell access to user accounts of the sports betting site DraftKings.

The man, Joseph Garrison, is accused of working with others to steal about $600,000 from approximately 1,600 victim accounts during the November 2022 attack, according to the U.S. Attorney’s Office in Manhattan.

DraftKings is not named in the criminal complaint against Garrison. But a person close to the company said it was a target of the so-called credential stuffing attack. DraftKings later confirmed it.

In a statement to CNBC, DraftKings said: “The safety and security of our customers’ personal and payment information is of paramount importance to DraftKings. We worked with law enforcement in catching the alleged bad actor(s), and we want to thank the Department of Justice, including the FBI and U.S. Attorney, Southern District of New York, for their prompt and effective action.”

The company said it restored funds for the “limited number of users” who were impacted by the breach.

Law enforcement authorities searched Garrison’s home in Wisconsin on Feb. 23, and recovered his computer and cellphone, according to the complaint.

On those devices, investigators found credential stuffing programs, instruction photos on how to use stolen user credentials to steal money from victim accounts, and messages between Garrison and co-conspirators, the complaint said.

The messages included ones where Garrison wrote, “fraud is fun . . . im addicted to see money in my account . . . im like obsessed with bypassing s—,” according to a court filing.

The images cited in the FBI affidavit were hosted on Imgur, a popular file-sharing website.

CNBC also found the same images on a website that purportedly sells compromised accounts on DraftKings and FanDuel, among others.

ESPN previously reported that a cyberattack in November affected users of DraftKings and rival site FanDuel. FanDuel told CNBC it wasn’t materially impacted by the attack: “Our security did its job.”

Garrison is charged with conspiracy to commit computer intrusions, unauthorized access to a protected computer to further intended fraud, unauthorized access to a protected computer, wire fraud conspiracy, wire fraud and aggravated identity theft.

He faces a maximum possible prison sentence of 20 years if convicted, but would likely get significantly less time under federal guidelines.

Chris Cylke, senior vice president for government relations at The American Gaming Association, an industry group told CNBC: “The legal gaming industry is working hard to provide consumers with safe, regulated access to betting.”

“Today’s news reinforces the importance for law enforcement at all levels to hold fraudsters and other criminals accountable,” Cylke said.

–CNBC’s Rohan Goswami contributed to this report.


Click Here For The Original Story From This Source.

National Cyber Security