Security News > 2023 > May > 18-year-old charged with hacking 60,000 DraftKings betting accounts
The Department of Justice revealed today that an 18-year-old man named Joseph Garrison from Wisconsin had been charged with hacking into the accounts of around 60,000 users of the DraftKings sports betting website in November 2022.
Garrison and his co-conspirators devised a method allowing buyers of the stolen accounts to withdraw all funds, instructing them to add a new payment method to the hacked accounts, deposit a nominal sum of $5 through the newly added payment method to verify its validity, and subsequently withdraw all existing funds from the victims' accounts to a separate financial account under the attackers' control.
One month later, the sports betting company said it refunded hundreds of thousands of dollars stolen after 67,995 customers had their accounts hacked in the incident.
During the same period in November, FanDuel customers reported account compromises after credential-stuffing attacks, with the hacked accounts being sold on cybercrime marketplaces for as little as $2. Garrison is known to have run the "Goat Shop" website selling hacked DraftKings and FanDuel accounts after the two attacks.
The same detailed instructions on how to empty breached DraftKings accounts were provided on another online shop that match the instructions seen on Garrison's Goat Shop website in the complaint.
Following the November attack, DraftKings advised customers never to use the same password for multiple services, to turn on 2FA on their accounts immediately, and unlink their bank accounts or remove banking details to block fraudulent withdrawal requests.