Joseph Garrison earned at least $2.1 million.
Joseph Garrison, 18, of Madison, Wisconsin, is accused of hacking the sports betting site DraftKings and stealing $600,000 from hundreds of customer accounts.
According to federal prosecutors in Manhattan, Garrison used stolen usernames and passwords he bought on the dark web to hack into 60,000 DraftKings accounts last November. He then sold this information to other people who used it to empty 1,600 customer accounts. This hack is called "credential stuffing" and works best when users use the same password and login on different sites.
"Fraud is fun," Garrison allegedly wrote in a text message to his accomplice, according to court documents. "I'm addicted to seeing money in my account."
DraftKings is not named in the criminal complaint, but confirmed that some of its clients' accounts were compromised in the scheme and said it returned the stolen money.
"The security and privacy of our customers' personal and payment information is of the utmost importance to DraftKings," the company said in a statement.
At the time of the hack, Garrison was already facing charges in a separate Wisconsin case for allegedly paying people in bitcoin online to make bomb threat calls to his own school in Madison and other cities where his friends lived. This practice is called "swatting". In one such case, Garrison allegedly asked for a threatening call because he was bored and wanted to go home, according to court records in Wisconsin.
Garrison turned himself in to New York authorities on Thursday morning and was scheduled to appear before a judge later that day. It was not immediately clear whether he had hired a lawyer in the hacking case, and the lawyer who represented him in the earlier "swatting" case did not respond to a message asking for comment on the arrest.
While the Wisconsin police were investigating the "swatting" case, they uncovered evidence that Garrison was involved in a number of hacking scams over the years and had amassed a fortune of $2.1 million by the age of 17. He admitted to earning an average of $15,000 a day from 2018 to 2021, but told investigators he stopped engaging in any hacking activity, court documents say.
But five months after that, he allegedly carried out a "credential stuffing" attack on the DraftKings website, prosecutors said. DraftKings employees were able to get on Garrison's trail after launching their own investigation and ransoming some of the credentials he stole, which he was selling on the dark web.
"Harrison gained unauthorized access to victims' accounts using a sophisticated cyberattack to steal hundreds of thousands of dollars," said FBI's Michael Driscoll. "Cyber intrusions aimed at stealing private funds pose a serious threat to our economic security."
The investigation later determined that the attacker's IP address, which was used to sell account information, matched the IP address of Garrison's parents' home, where he lived.
This is not the first time a sports betting site has been hacked. Earlier we wrote about how hackers stole the data of more than 2 million users of the BetUS website. We also reported on how hackers extorted $10 million from SBTech, a company that provides software for sports betting sites.