Topline
A Wisconsin man pleaded guilty to a hacking scheme that stole about $600,000 from more than a thousand DraftKings accounts, prosecutors said Wednesday, months after accusing the 19-year-old defendant of telling a co-conspirator “fraud is fun”—as the gambling sector continues to experience brazen hacks on their systems.
Key Facts
Federal prosecutors in Manhattan said the defendant Joseph Garrison and other unnamed people accessed approximately 60,000 accounts on DraftKings, a sports betting platform, and stole around $600,000 from about 1,600 accounts.
Garrison faces a maximum sentence of five years in prison and is scheduled to be sentenced in January.
Prosecutors say Garrison carried out the scheme through a credential stuffing attack on DraftKings accounts, a tactic which uses stolen user credentials from other platforms and checks if those credentials work on the targeted website.
Law enforcement searched Garrison’s home in February this year, finding programs and files typically used for credential stuffing attacks on his computer, according to the prosecutors’ statement, which added that investigators also found conversations between Garrison and co-conspirators about how to hack DraftKings.
In one of the conversations viewed by law enforcement, Garrison messaged an unnamed co-conspirator saying fraud was fun and that he was addicted to seeing money in his account.
Garrison’s attorney declined to comment, and DraftKings did not immediately respond to Forbes’ request for comment.
Big Number
64%. That’s the password reuse rate for users with more than one password exposed in 2021, according to cybercrime analytics firm SpyCloud. High rates of password reuse make credential stuffing a prevalent means of hacking user accounts.
Key Background
Last year, DraftKings users lost nearly $300,000, with some customers being locked out of accounts that had significant amounts of money withdrawn. The timing of the hack lines up with the approximate date prosecutors said Garrison carried out his credential stuffing attack on the platform. In light of the cyberattack, DraftKings encouraged customers to use unique passwords for its own platform and other websites, noting in a statement that the login information accessed by hackers was likely compromised on other websites and used to access DraftKings accounts. Competing online gambling company FanDuel was hacked this year in a MailChimp security breach that resulted in more than 100 customers having their names and email addresses accessed. Casino operators such as MGM Resorts and Caesars Entertainment have also been targeted by massive cyberattacks this year that resulted in the latter company paying millions of dollars to hackers, according to Bloomberg.
Further Reading
‘Fraud is fun’ DraftKings teen hacker pleads guilty in fantasy sports betting theft (CNBC)
Wisconsin Man Pleads Guilty To Hacking Fantasy Sports And Betting Website (DOJ)
Source: https://www.forbes.com/sites/antoniopequenoiv/2023/11/15/teenager-who-allegedly-bragged-fraud-is-fun-pleads-guilty-to-sports-betting-hack/