DraftKings Hacker Admits to Stealing $600K

Madison Teen Pleads Guilty to $600K DraftKings Cyber Fraud

A Madison, Wis. teenager has pleaded guilty to conspiracy to commit computer intrusion in connection to the theft of over $600,000 from approximately 1,600 DraftKings accounts. Joseph Garrison, 18, who once claimed that “fraud is fun,” could face up to five years in federal prison.

The teenager and others launched a credential-stuffing attack on the sportsbook on November 18, 2022, according to prosecutors. This type of cybercrime involves using stolen log-in credentials obtained from large-scale corporate data breaches to access accounts with the same passwords.

Once in, Garrison and his accomplices were able to add a new payment method, deposit $5 to verify the method, and then withdraw all existing funds from the accounts, court documents allege. The attack caused DraftKings’ shares to fall 5% on the Nasdaq, as investors feared a drop in consumer confidence in the mobile sportsbook, which had recently launched in many new US state markets.

During a raid on Garrison’s home in February 2023, the FBI found credential-stuffing software used to target numerous corporate websites, as well as files containing nearly 40 million pairs of usernames and passwords on the suspect’s computer. Conversations extracted from Garrison’s phone included discussions on hacking and exploiting the DraftKings website, according to prosecutors.

Garrison allegedly made over $2.1 million from cyber fraud by the time he was 18, earning $15,000 a day between 2018 and 2021. This isn’t his first run-in with the law, as he was previously charged with making bomb threats and terrorist threats related to incidents at his high school, Memorial High School in Madison.

Court documents state that Garrison hired third parties over the internet to make bomb threats to the school on five occasions because he was “bored and wanted to go home.” In addition to the cyber fraud charges, Garrison’s history of bomb threats could contribute to his sentencing.

The case highlights the increasing prevalence of cyber fraud and the potentially devastating financial and legal consequences for those involved.