Law Enforcement Detail Sportsbook Customer Account Hackings

In reporting the DOJ filing against one 18 year-old Wisconsin man alleging he hacked into and stole hundreds of thousands of dollars from sportsbook accounts, there are a number of standout allegations.  One seems to suggest there was collusion between Joseph Garrison and the sportsbook employees.

While DraftKings is not explicitly named in the complaint, It's been widely circulated that DraftKings is at the center of this case. 

DraftKings had previously denied a breach of customer accounts back in November when the incident took place.

The complaint alleges Garrison used a credential stuffing attack on the Betting Website in November 2022.  It was during this month that customers began complaining of missing funds in their wagering accounts.

During a credential stuffing attack, a cyber threat actor collects stolen credentials, or username and password pairs, obtained from other large-scale data breaches of other companies, which can be purchased on the darkweb.

The defendant is alleged to have then sold access to those Victim Accounts through various websites that marketed and sold illegal account credentials. The buyers of those credentials accessed the Victim Accounts and withdrew approximately $600,000 in total from the Victim Accounts (capitalized in the complaint).

Though Garrison lives in Wisconsin and the alleged crime appears to have taken place from his home in Madison, the case was filed in the state of New York, more specifically the Southern District of New York.  DraftKings does hold a license in the state.  More importantly perhaps, 30 of the compromised betting accounts are located within the Southern District of New York, which includes Manhattan and the Bronx, as well as Dutchess, Orange, Putnam, Rockland, Sullivan, and Westchester Counties.

Among the allegations made by the Justice Department:

• GARRISON transferred and used, and aided and abetted the use of, the identifying information of other people during and in relation to the computer intrusion and wire fraud offenses charged in this complaint.
• In connection with the Betting Website Attack on or about November 18, 2022, approximately 60,000 Victim Accounts at the Betting Website were successfully compromised.
• In some instances, the individuals who unlawfully accessed the Victim Accounts were able to add a new payment method on the account, deposit $5 into that account through the new payment method to verify that method, and then withdraw all the existing
  funds in the Victim Account through the new payment method (i.e., to a newly added financial account belonging to the hacker), thus stealing the funds in the Victim Account. Using this method, the hackers stole approximately $600,000 from approximately 1,600 Victim Accounts.
• The betting website has cooperated with law enforcement in providing details of the breach.
• The Betting Website checked the status of the Illustration Account on its own systems and saw that money had been withdrawn from the account on or about November 18, 2022, in a manner consistent with the hacking instructions, which is contrary to a statement issued by DraftKings to the press at the time.
• On or about January 9, 2023, the UC observed stolen Betting Website credentials for sale on a website (“Website-1”). The UC purchased two sets of those credentials—meaning usernames and passwords for two Victim Accounts—for approximately $11
  (the “Website-1 Credentials”). The UC made the purchase of credentials from an office located in the Southern District of New York and the credentials were transmitted to the UC and downloaded by the UC from the office located in the Southern District of New York.
• The law enforcement agent was able to identify chats involving alleged co-conspirators.
• Previous to the sportsbook hack in 2021, Madison police had investigated the defendant.  GARRISON at the time described the way that he hacked accounts, namely that he had taken username and passwords from data breaches, put them into a program called “Open Bullet,” and then used Open Bullet to attempt to access other websites using those lists of usernames and passwords.

DraftKings has yet to issue a public statement on the matter.  Once they do so, assuming they do so, we will publish it here.

- Chris Costigan, Gambling911.com Publisher