On November 16, 2023, a teenager from Madison, Wis. pleaded guilty to conspiracy to commit computer intrusion in connection to the theft of over $600,000 from approximately 1,600 DraftKings accounts. Joseph Garrison, 18 years old, is facing up to five years in a federal prison for his fraudulent activities.
The teenager, along with other individuals, carried out a credential-stuffing attack on the DraftKings sportsbook on November 18, 2022. This type of cyber attack involves using stolen log-in credentials to gain unauthorized access to user accounts. Garrison and his accomplices were able to add a new payment method to the accounts, deposit a small amount of money to verify the method, and then withdraw all the existing funds.
The attack had a significant impact on DraftKings’ shares, causing a 5% drop on the Nasdaq as investors feared a decline in consumer confidence in the mobile sportsbook. When the FBI conducted a raid at Garrison’s home in February 2023, they found credential-stuffing software and files containing nearly 40 million pairs of usernames and passwords. Conversations extracted from Garrison’s phone revealed his obsession with fraud and bypassing security measures.
The investigation also uncovered that Garrison had made over $2.1 million from cyber fraud by the age of 18, earning up to $15,000 a day between 2018 and 2021. Additionally, prior to the DraftKings attack, he faced charges related to making bomb threats and terrorist threats, as well as attempted bomb threats. Court documents indicated that Garrison had hired third parties over the internet to make threats to his high school.
Joseph Garrison’s case highlights the prevalence and seriousness of cyber fraud, as well as the impact it can have on individuals and businesses. His guilty plea serves as a reminder of the importance of cybersecurity measures and the consequences of engaging in fraudulent activities.