- 5 easy ways to transfer photos from your Android device to your Windows PC
- How to get Google's new Pixel 9a for free
- Just installed iOS 18.4? Changing these 3 features made my iPhone much better to use
- 7 strategic insights business and IT leaders need for AI transformation in 2025
- The most underrated robot vacuum I've ever tested is now 60% off
Teen Charged in DraftKings Credential Stuffing Case
An 18-year-old Wisconsin man has been charged with a credential stuffing campaign against users of the popular US betting site DraftKings, in which he and others allegedly stole an estimated $600,000.
Joseph Garrison of Madison, Wisconsin, was charged yesterday with conspiracy to commit computer intrusions, unauthorized access to a protected computer to further intended fraud, unauthorized access to a protected computer, wire fraud conspiracy, wire fraud and aggravated identity theft. The charges carry a combined maximum sentence of 57 years.
Garrison is accused of launching the attack on DraftKings customers on November 18 last year.
Read more about credential stuffing: The North Face Warns of Major Credential Stuffing Campaign.
Using classic credential stuffing techniques, Garrison allegedly used stolen lists of usernames and password combos to try and simultaneously access accounts across the web that victims may have used the same logins for.
In this way he was able to access 60,000 DraftKings user accounts. In some cases, he was able to add a new payment method to an account, deposit $5 to verify that payment method and then withdraw all funds.
Using this MO, Garrison and his co-conspirators are said to have stolen around $600,000 from 1600 victim accounts, according to the US Attorney’s Office for the Southern District of New York. As reported by Infosecurity at the time, it was initially believed that just $300,000 was stolen from customer accounts.
Garrison’s home was searched by law enforcers in February, during which time they found credential stuffing software including 700 “config” files for dozens of targeted websites, as well as files containing 40 million login combos.
His smartphone allegedly also contained conversations with co-conspirators about how to hack the DraftKings accounts and extract funds.
In one conversation, he is alleged to have said: “Fraud is fun . . . im addicted to see money in my account.”
Editorial image credit: T. Schneider / Shutterstock.com
