The DraftKings Hack – eCrimeBytes Nibble #46

Joseph Garrison’s gamble that he could get away with hacking DraftKings did not pay off. Garrison’s story is told best from the official DoJ complaint:

In or about November 2022, in the Southern District of New York and elsewhere, JOSEPH GARRISON, the defendant, knowingly and with the intent to defraud, accessed a protected computer without authorization, and exceeded authorized access, and by means of such conduct furthered the intended fraud and obtained anything of value totaling more than $5,000 during a one-year period, to wit, GARRISON obtained unauthorized access to victims’ electronic betting accounts on the Betting Website and sold the means of unauthorized access to those accounts—namely, account login information along with instructions for how to drain funds
from the compromised accounts—to others who used that information to steal hundreds of thousands of dollars from the victim accounts.

JOSEPH GARRISON, the defendant, launched a credential stuffing attack on the Betting Website in November 2022 (the “Betting Website Attack”) and thereby obtained access to tens of thousands of the Betting Website user accounts (the “Victim Accounts”).

During a credential stuffing attack, a cyber threat actor collects stolen credentials, or username and password pairs, obtained from other large-scale data breaches of other companies, which can be purchased on the darkweb. The threat actor then systematically attempts to use those stolen credentials to obtain unauthorized access to accounts held by the same user with other companies and providers, in order to compromise accounts where the user has maintained the same password.

GARRISON then sold access to those Victim Accounts through various websites that marketed and sold illegal account credentials. The buyers of those credentials accessed the Victim Accounts and withdrew approximately $600,000 in total from the Victim Accounts.

When law enforcement began its investigation, credentials stolen in the Betting Website Attack were being offered for sale on the internet. Undercover law enforcement purchased certain credentials stolen in the Betting Website Attack, and the Internet protocol (“IP”) address that uploaded the instructions to use those stolen credentials to steal money from the Victim Accounts was linked to GARRISON.

Law enforcement executed a search on GARRISON’s home, where they recovered, among other things: (i) credential stuffing programs and files establishing that GARRISON used those programs to access the Betting Website; (ii) instructional photographs about how to use the stolen credentials to steal money from the Victim Accounts; (iii) messages between GARRISON and co-conspirators about the Betting Website Attack; and (iv) messages from GARRISON to co-conspirators about other similar credential stuffing attacks, including but not limited to the message, “fraud is fun,” which referred to credential stuffing attacks generally.

Prior to the Betting Website Attack, in an interview conducted by the Madison, Wisconsin Police Department, GARRISON admitted to participating in similar
credential stuffing attacks.

Two more points I found interesting were:

In connection with the Betting Website Attack on or about November 18, 2022, approximately 60,000 Victim Accounts at the Betting Website were successfully compromised.

In some instances, the individuals who unlawfully accessed the Victim Accounts were able to add a new payment method on the account, deposit $5 into that account through the new payment method to verify that method, and then withdraw all the existing funds in the Victim Account through the new payment method (i.e., to a newly added financial account belonging to the hacker), thus stealing the funds in the Victim Account. Using this method, the hackers stole approximately $600,000 from approximately 1,600 Victim Accounts.


#ecrimebytes #electronic #truecrime #podcast #humor #funny #comedy #draftkings #hack

Leave a Reply

Your email address will not be published. Required fields are marked *