Security News > 2023 > May > 18-year-old charged with hacking 60,000 sports betting accounts
The Department of Justice revealed today that an 18-year-old man named Joseph Garrison from Wisconsin had been charged with hacking into the accounts of around 60,000 users of a fantasy sports and sports betting website in November 2022.
Garrison and his co-conspirators devised a method allowing buyers of the stolen accounts to withdraw all funds, instructing them to add a new payment method to the hacked accounts, deposit a nominal sum of $5 through the newly added payment method to verify its validity, and subsequently withdraw all existing funds from the victims' accounts to a separate financial account under the attackers' control.
Sports betting company DraftKings revealed on November 21 that up to $300,000 were stolen from accounts breached in a credential attack.
One month later, the sports betting company said it refunded hundreds of thousands of dollars stolen after 67,995 customers had their accounts hacked in the incident.
During the same period in November, FanDuel customers reported account compromises after credential-stuffing attacks, with the hacked accounts being sold on cybercrime marketplaces for as little as $2. Garrison is known to have run the "Goat Shop" website selling hacked DraftKings and FanDuel accounts after the two attacks.
Following the November attack, DraftKings advised customers never to use the same password for multiple services, to turn on 2FA on their accounts immediately, and unlink their bank accounts or remove banking details to block fraudulent withdrawal requests.