An 18-year-old man named Joseph Garrison from Wisconsin has been charged by the Department of Justice for hacking into around 60,000 accounts of DraftKings sports betting website users in November 2022.
Using credentials from other breaches, Garrison allegedly sold the hijacked accounts, resulting in approximately $600,000 being stolen from 1,600 compromised accounts.
Furthermore, Garrison and his co-conspirators devised a method that allowed buyers of the stolen accounts to withdraw funds by adding new payment methods and transferring the victims’ funds to separate financial accounts under the attackers’ control.
Investigations revealed that Garrison possessed tools commonly used in credential-stuffing attacks, including OpenBullet and SilverBullet, along with numerous configuration files for various corporate websites, including 11 for the targeted betting website.
Additionally, authorities also found wordlists containing millions of username and password combinations used in credential stuffing attacks. Garrison’s phone conversations and discussions with co-conspirators provided further evidence of his involvement in the attack and his belief that he would go unpunished.
DraftKings, one of the targeted sites, acknowledged the incident and worked with law enforcement to apprehend the alleged perpetrators.
The company emphasized the importance of customer data security and took measures to restore funds for affected users.
Finally, the case highlights the growing threat of credential stuffing attacks, prompting organizations to prioritize strong security measures and user education to prevent unauthorized access and financial losses.
