Joseph Garrison is a Wisconsin teen accused of hacking into DraftKings accounts and stealing at least $600,000, federal authorities say.
Garrison, 18, of Madison, Wisconsin, was arrested on May 18, 2023, on six charges, the U.S. Attorney’s Office for the Southern District of New York announced in a statement.
Federal prosecutors say Garrison hacked accounts on the fantasy sports and betting website and then sold access to those accounts along with instructions on how to drain money from them. DraftKings isn’t named in court documents, but screenshots in the criminal complaint show the site’s interface and details match previous disclosures by the company about a hack that targeted its users.
Garrison and others were able to get into 60,000 DraftKings accounts, prosecutors said. They were able to steal about $600,000 from 1,600 victims, according to prosecutors.
“As alleged, Garrison used a credential stuffing attack to hack into the accounts of tens of thousands of victims and steal hundreds of thousands of dollars,” U.S. Attorney Damian Williams said in a statement. “Today, thanks to the work of my Office and the FBI, Garrison learned that you shouldn’t bet on getting away with fraud.”
Garrison was charged with conspiracy to commit computer intrusions, unauthorized access to a protected computer to further intended fraud, unauthorized access to a protected computer, wire fraud conspiracy, wire fraud and aggravated identity theft, federal prosecutors said.
He made his first court appearance in Manhattan on May 18 and was released on $100,000 bond, court records show. His mother will serve as a “third party custodian,” according to court records.
Garrison and his attorney could not immediately be reached for comment by Heavy.
A DraftKings spokesperson said in a statement to Heavy, “The safety and security of our customers’ personal and payment information is of paramount importance to DraftKings. We worked with law enforcement in catching the alleged bad actor(s), and we want to thank the Department of Justice, including the FBI and U.S. Attorney, Southern District of New York, for their prompt and effective action.”
The spokesperson added, “As we stated previously, bad actor(s) were able use login credentials obtained from a third-party source to gain access to certain user accounts. When the identified credential stuffing incident occurred in November 2022, DraftKings provided notice to customers in relevant jurisdictions and restored amounts for a limited number of users who may have had funds improperly withdrawn from their accounts.”
Joseph Garrison Wrote in a Message to a Co-Conspirator ‘Fraud Is Fun,’ According to Court Documents
According to the criminal complaint written by FBI Special Agent Michael Gassert, Joseph Garrison began hacking DraftKings accounts in November 2022. He used a method known as “credential stuffing.”
Garrison also targeted FanDuel accounts, records show, but details on whether any money was stolen from the other sports betting and fantasy website were not included in the court documents.
Gassert wrote, “During a credential stuffing attack, a cyber threat actor collects stolen credentials, or username and password pairs, obtained from other large-scale data breaches of other companies, which can be purchased on the darkweb. The threat actor then systematically attempts to use those stolen credentials to obtain unauthorized access to accounts held by the same user with other companies and providers, in order to compromise accounts where the user has maintained the same password.”
According to the complaint, DraftKings notified law enforcement in November 2022 that working log-in credentials the company had verified were available for purchase on “several illicit websites.” On November 21, 2022, Action Network’s Darren Rovell reported on DraftKings users who were seeing money being drained from their accounts.
DraftKings’ co-founder Paul Lieberman told Action Network they “made whole” any users who lost money, adding, “We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information. We have seen no evidence that DraftKings’ systems were breached to obtain this information.”
DraftKings employees tried to verify the hack by purchasing stolen credentials, according to the complaint. They then received instructions on how to steal money from the accounts they bought, according to the complaint.
Gassert included messages Garrison sent to unnamed co-conspirators in the complaint, including one in which the teen wrote, “fraud is fun. … im addicted to see money in my account. … idk im like obsessed with bypassing s***.”
The FBI Says Garrison Made More Than $2 Million Selling Hacked Accounts on a Website Called ‘Goat Shop’
According to the criminal complaint, the FBI discovered Joseph Garrison had previously run a website he called the “Goat Shop,” where he sold hacked accounts.
In June 2022, during an interview with police in Madison, Wisconsin, Garrison said he hacked the accounts himself and then sold him, according to the complaint.
Garrison said that from 2018 to 2021 he made about $15,000 per day while selling hacked accounts on the website and had made about $800,000. Police found a photo on Garrison’s phone showing the Goat Shop sold more than 225,000 products with a total sales revenue of $2,135,150.09, according to the complaint.
Joseph Garrison Is Also Facing Charges in Wisconsin in Connection to Bomb Threats & ‘Swatting’ Calls to Schools in Multiple States
Joseph Garrison is also facing charges in Dane County, Wisconsin, after he was accused of calling in bomb threats and making “swatting” calls to schools in Madison and in other states.
Garrison was arrested in August 2022 on bomb scare and making terrorist threats charges in Wisconsin, court records show. He was 17 at the time. Garrison is free on bond in that case. He has pleaded not guilty.
According to a Madison Police Department press release, Garrison made several threats to Vel Phillips Memorial High School from February to April 2022. He also made threatening calls to schools in Texas and Pennsylvania, according to court records.
Police said in a criminal complaint obtained by WISC-TV, Garrison admitted he used Bitcoin to pay people to make the threats.
“According to police, Garrison made arrangements for the initial call at Memorial High because he was bored and did not want to be at school. He also allegedly told investigators he had money to pay for the threats because he ran an online store where he sold hacked passwords for online accounts. Garrison said at the site’s peak, it was making $15,000 a day, and at one point he had around $800,000 in his account,” the news station wrote.