DraftKings hails US government agencies as teen charged over cyberattack

DraftKings has welcomed charges against an 18-year-old hacker over a cyberattack against the firm in November, which saw the theft of $600,000 from 1,600 DraftKings sportsbook accounts.

In a statement released on Friday, the Boston-headquartered operator welcomed the end of a multi-agency investigation into the attack, after which the firm introduced significant changes to its account access, including twin-factor authentication.

“The safety and security of our customers’ personal and payment information is of paramount importance to DraftKings,” a spokesperson for the operator said.

“We worked with law enforcement in catching the alleged bad actor(s), and we want to thank the Department of Justice, including the FBI and US Attorney, Southern District of New York, for their prompt and effective action. 

“As we stated previously, bad actor(s) were able [to] use login credentials obtained from a third-party source to gain access to certain user accounts. 

“When the identified credential stuffing incident occurred in November 2022, DraftKings provided notice to customers in relevant jurisdictions and restored amounts for a limited number of users who may have had funds improperly withdrawn from their accounts,” DraftKings added.

On Thursday, the US Attorney’s Office, Southern District of New York confirmed the surrender of 18-year-old Joseph Garrison to authorities, and the unsealing of criminal complaints listing six counts of violating US law in relation to the attack.

Garrison, a Wisconsin native, used a credential stuffing attack to gain access to more than 60,000 DraftKings accounts, added new payment methods to existing accounts, utilized existing deposit methods to make deposits, and then drained these funds from the affected accounts.

‘Credential stuffing attacks’ are cyberattacks where individuals use login credentials (eg. email addresses/usernames and passwords) obtained from a third-party source to gain access to user accounts.

In most cases, they occur when individuals use the same login credentials on multiple websites.

Those programs require individualized “config” files for a target website to launch credential stuffing attacks, with law enforcement locating approximately 700 such config files for dozens of different corporate websites on Garrison’s computer.

Law enforcement also located files containing nearly 40 million username and password pairs on Garrison’s computer, which are also used in credential stuffing attacks.

Damning mobile phone conversations were obtained by authorities between Garrison and his co-conspirators, including discussions on how to hack DraftKings and how to profit from doing so, either through extracting fund from accounts or selling access to the accounts themselves.

In one particularly damning exchange, Garrison gloated about his skill in hacking, claiming “fraud is fun…I’m addicted to seeing money in my account…I’m like obsessed with bypassing shit.”

Garrison was charged with six federal crimes, including two counts of computer fraud, two counts of wire fraud, aggravated identity theft and conspiracy to commit computer intrusions.

If successfully charged, Garrison could face a jail term of between two and 20 years in Federal prison.

DraftKings’ fellow operators FanDuel and BetMGM also faced cyberattacks in November 2022, and have subsequently toughened up their own cybersecurity.