An 18-year-old Wisconsin man has been charged with allegedly playing a central role in the theft of $600,000 from DraftKings customer accounts.
Joseph Garrison – who potentially faces years in the clink if convicted and apparently bragged to his co-conspirators that “fraud is fun” – surrendered to the cops Thursday morning in New York City and appeared before a judge later that afternoon.
He has been charged with conspiracy to commit computer intrusions, unauthorized access to a protected computer to further intended fraud, unauthorized access to a protected computer, wire fraud and wire fraud conspiracy, and aggravated identity theft.
According to the six-count criminal complaint [PDF] that was unsealed this week, Garrison’s alleged crime spree started with a credential-stuffing attack against DraftKings, which prosecutors only identified as “the betting website,” in November 2022.
Credential stuffing is where you have a list of username-password combinations for one website or app, and you throw those login details at other sites to see if any of them also work, taking advantage of the fact that people use the same usernames, email addresses and passwords across multiple services. That’s why using a strong unique password per site, with multi-factor authentication if possible, is ideal so that if one user database is stolen, the impact is limited.
As we reported at the time, the Boston-based sports gambling biz said that the login information of the impacted customers was stolen elsewhere and applied to their DraftKings accounts, where some passwords were reused. A classic
Read more