An 18-year-old Wisconsin man has been charged with crimes related to a cyberattack on a fantasy sports and betting site this fall that impacted approximately 60,000 accounts, according to an indictment unsealed Thursday by the United States Attorney's Office of the Southern District of New York.
Joseph Garrison of Madison, Wisconsin, was charged with five counts of conspiracy, fraud and identity theft during a credential stuffing attack that began in mid-November. In a credential stuffing attack, the culprits use stolen usernames and passwords that often are obtained on the dark web.
The charges carry a maximum sentence of 20 years in prison, if convicted. Garrison surrendered to authorities Thursday in New York, according to the news release announcing the indictment.
"As alleged, Garrison attained unauthorized access to victim accounts using a sophisticated cyber-breaching attack to steal hundreds of thousands of dollars," FBI assistant director in charge Michael J. Driscoll said in the release. "Cyber intrusions aiming to steal private individuals' funds represent a serious risk to our economic security. Combatting cyberattacks and holding the responsible threat actors accountable in the criminal justice system remains a top priority for the FBI."
The indictment did not identify the betting site, but a source familiar with the investigation confirmed to ESPN that it was DraftKings. Representatives from DraftKings did not immediately respond to requests for comment from ESPN.
FanDuel also was affected by a November cyberattack, but a spokesperson for the sportsbook said, "We were not materially impacted by this attack."
Law enforcement executed a search on Garrison's home in February and found "programs typically used for credential stuffing attacks" and computer files containing nearly 40 million username and password pairs, according to the release. In addition, authorities located discussions about how to hack the website and extract funds from the alleged victims' accounts on Garrison's phone, including a message that stated, "fraud is fun . . . im addicted to see money in my account . . . im like obsessed with bypassing s---," according to the release.
In December, DraftKings revealed in a data breach notification to the Maine Attorney General's Office that 67,995 people were exposed in the November incident. The sportsbook had estimated that $300,000 worth of unauthorized funds were withdrawn in the attack.
Joseph Garrison of Madison, Wisconsin, was charged with five counts of conspiracy, fraud and identity theft during a credential stuffing attack that began in mid-November. In a credential stuffing attack, the culprits use stolen usernames and passwords that often are obtained on the dark web.
The charges carry a maximum sentence of 20 years in prison, if convicted. Garrison surrendered to authorities Thursday in New York, according to the news release announcing the indictment.
"As alleged, Garrison attained unauthorized access to victim accounts using a sophisticated cyber-breaching attack to steal hundreds of thousands of dollars," FBI assistant director in charge Michael J. Driscoll said in the release. "Cyber intrusions aiming to steal private individuals' funds represent a serious risk to our economic security. Combatting cyberattacks and holding the responsible threat actors accountable in the criminal justice system remains a top priority for the FBI."
The indictment did not identify the betting site, but a source familiar with the investigation confirmed to ESPN that it was DraftKings. Representatives from DraftKings did not immediately respond to requests for comment from ESPN.
FanDuel also was affected by a November cyberattack, but a spokesperson for the sportsbook said, "We were not materially impacted by this attack."
Law enforcement executed a search on Garrison's home in February and found "programs typically used for credential stuffing attacks" and computer files containing nearly 40 million username and password pairs, according to the release. In addition, authorities located discussions about how to hack the website and extract funds from the alleged victims' accounts on Garrison's phone, including a message that stated, "fraud is fun . . . im addicted to see money in my account . . . im like obsessed with bypassing s---," according to the release.
In December, DraftKings revealed in a data breach notification to the Maine Attorney General's Office that 67,995 people were exposed in the November incident. The sportsbook had estimated that $300,000 worth of unauthorized funds were withdrawn in the attack.