A Wisconsin teenager who concocted a sophisticated cyber scheme to steal private customer data from thousands of sports betting website accounts pleaded guilty to conspiracy Wednesday in New York.
The 19-year-old defendant, Joseph Garrison, admitting conspiring with others to access approximately 60,000 accounts through a hacking technique known as credential stuffing. Garrison pleaded guilty to a single charge of conspiracy to commit computer intrusion.
Garrison and others stole approximately $600,000 from roughly 1,600 victim accounts, according to a statement from the U.S. Attorney’s Office for the Southern District of New York. The plea was made nearly 12 months after DraftKings confirmed that a number of bettors had their online accounts compromised through irregular activity on other third-party sites last November.
While the sportsbook operator was not named in the statement, the hackers targeted DraftKings in the breach, CNBC previously reported in May. Two others, FanDuel and BetMGM, reported an uptick in cyber disruptions in the final quarter of 2022. Multiple media outlets on Wednesday identified DraftKings as the operator targeted by Garrison’s group.
Explaining credential stuffing
In May, the U.S. Attorney’s Office unsealed a six-count indictment against Garrison, a resident of Madison, Wisconsin, identifying him as having launched a credential stuffing attack on Nov. 18, 2022.
DraftKings acknowledged last November that several unauthorized individuals gained access to some customers’ log-in information, impacting about $300,000 in customer funds. DraftKings said it found no evidence at the time to suggest that the company’s systems were breached to obtain the information.
Credential stuffing generally occurs when a cybercriminal uses login credentials obtained from a third-party site to gain unauthorized access to a customer’s account. The breach can be carried out if a customer uses the same password on a reasonably secure national website as he does at a local gym or other business with lesser cybersecurity protections. The criminal then attempts to use the stolen credentials to gain access to accounts maintained by the user at other businesses where the customer has the same username-password pair.
Sign Up For The Sports Handle Newsletter!
Millions of credentials are at risk daily. Our latest article dives into the threat of credential stuffing. Learn how it works, its impact, and how to protect yourself.
👉 Read more: https://t.co/pyX4LCSFKK
— Fusion Intelligence Center @ StealthMole (@stealthmole_int) November 15, 2023
According to the Justice Department, Garrison and others carried out the scheme by adding a new payment method to an account, then subsequently withdrawing the existing funds in the victim accounts through the new payment method. The defendant executed the scheme by depositing as little as $5 into a compromised account on numerous occasions. According to a data breach notification filed with the Maine Attorney General’s Office, the intrusion impacted the accounts of at least 67,995 DraftKings customers.
In many cases, combinations of stolen username and passwords can be purchased on the “dark web” for relatively inexpensive amounts. For instance, an FBI undercover agent on the case purchased usernames and passwords for two victim accounts at a cost of $11 total in January. Weeks later, law enforcement officials executed a search of Garrison’s computer, cellphone, and other items at his Wisconsin residence. During the intrusion of the betting website, there were a series of attempts to access customer betting website accounts using a large list of stolen credentials, the Justice Department wrote in Wednesday’s statement.
Over the course of the February search, law enforcement officials also located hundreds of so-called “config files,” which are used to carry out credential stuffing attacks. The officials detected about 700 separate config files for potential attacks against dozens of other company websites, the Justice Department said. The search uncovered at least 69 wordlists containing more than 38.4 million username and password combinations, according to last May’s indictment.
A search of Garrison’s phone by law enforcement uncovered conservations where the defendant allegedly bragged to a conspirator that he was “obsessed with bypassing sh**.” Garrison also claimed that he hacked into sites no one else breached, while asserting that “fraud is fun.” The conspirator urged Garrison to settle down, since he already faced “enough heat.” At one point, Garrison gushed of making six figures in a single afternoon.
Industry concern about cybercrime
Garrison’s guilty plea comes at a time when the gambling industry is on high alert for cyber attacks. In September, MGM Resorts fell victim to a comprehensive breach that prompted the casino giant to temporarily shut down its IT systems at numerous Las Vegas properties. The intrusions led to approximately $100 million in insured losses, with MGM Resorts CEO Bill Hornbuckle remarking that the company had been to “hell and back with the cyberattack.”
The intrusion served as a popular topic at last month’s Global Gaming Expo in Las Vegas. Appearing on stage with FanDuel CEO Amy Howe, DraftKings CEO Jason Robins expressed sympathy for MGM in saying that cyberattacks can happen to anyone. While leading sportsbooks compete in a number of areas, cybersecurity is one that top operators should collaborate on, Robins suggested. He said of the MGM breach: “We use it as an opportunity to remind our employees when this happens, it’s usually not because we had bad security systems. It’s because somebody got duped, or somebody was a bad actor on the inside.”
Hornbuckle: Paying ransom to MGM’s cyber hackers was never considered
Analysts said a good fourth quarter for the company could reduce any financial overhang from the cyberattack.https://t.co/gnuEL7DOZb @TheNVIndy
— Howard Stutz (@howardstutz) October 10, 2023
While cyberattacks have become extremely sophisticated, Robins stressed that the intrusions are difficult to execute without assistance from someone on the inside. Given the sophistication of the attacks, an employee may be deceived, illustrating the angst exhibited by leading sportsbooks.
To be clear, Robins did not explicitly specify that a DraftKings employee had a role in the incursion carried out by Garrison.
“The safety and security of our customers’ account information is of paramount importance to DraftKings. We want to thank the Department of Justice, including the FBI and U.S. Attorney’s office for the Southern District of New York, for their prompt and effective action,” DraftKings wrote in a statement.
There has been no indication whether other indictments are forthcoming in the case.
Under the plea, Garrison agreed to forfeit a sum of $175,019.11, representing proceeds traceable to the offense, according to the plea agreement obtained by Sports Handle. Furthermore, Garrison agreed to make further payments of $1.33 million in restitution under a plan established by the court.
Garrison, who has been free on a $100,000 bond since his arrest, is scheduled to be sentenced on Jan. 16. The single count of conspiracy to commit computer intrusion carries a maximum prison sentence of five years. While the defendant’s stipulated sentencing guidelines call for between 24 and 30 months of imprisonment, either side may seek a sentence outside the guidelines.