A Wisconsin teenager pleaded guilty Wednesday in New York federal court to conspiracy in connection with a scheme to hack user accounts at the DraftKings fantasy sports betting website and with others steal about $600,000 from its customers.
The defendant, Joseph Garrison, had boasted “fraud is fun” in a message that he had sent to his co-conspirators before he was nabbed by authorities, according to a criminal complaint in U.S. District Court in Manhattan.
The Manhattan U.S. Attorney’s Office said Garrison on Nov. 18 last year launched a so-called “credential stuffing attack” on the website. Hackers in such attacks use stolen user credentials obtained from past data breaches to gain authorized access to user accounts.
“Garrison and others successfully accessed approximately 60,000 accounts at the Betting Website,” the office said.
In some instances, the hackers were able to add a new payment method to the accounts, and after depositing $5 through the new method to verify it was authentic, were able to drain the accounts of “all the existing funds in the Victim Account,” prosecutors said.
About 1,600 DraftKings accounts were drained in the hack.
When federal authorities raided Garrison’s home in Madison in February, “they located programs typically used for credential stuffing attacks,” as well as “files containing nearly 40 million username and password pairs on” his computer, prosecutors said.
Garrison, who has been free on $100,000 bond since his arrest in May, is scheduled to be sentenced in Manhattan federal court on Jan. 16.
He faces a maximum possible sentence of five years in prison on the charge of conspiring to commit computer intrusion.