Teen charged with hacking DraftKings, said ‘fraud is fun’

Teen charged with hacking DraftKings, said ‘fraud is fun’

In this photo illustration the American daily fantasy sports contest and sports betting company DraftKings logo seen displayed on a smartphone screen.

Budrul Chukrut | flare | Getty Images

Federal prosecutors on Thursday filed criminal charges against an 18-year-old Wisconsin man for a plot to hack and sell access rights to user accounts at the sports betting site DraftKings.

According to US Attorneys in Manhattan, the man, Joseph Garrison, is accused of colluding with others to steal about $600,000 from about 1,600 victim accounts during the November 2022 attack.

DraftKings is not named in the criminal complaint against Garrison. However, a person close to the company confirmed that it was the target of the so-called credential stuffing attack.

According to the complaint, on February 23, law enforcement officers searched Garrison’s Wisconsin home and seized his computer and cell phone.

On those devices, investigators found credential stuffing programs, instructional photos on how to use stolen user credentials to steal money from victim accounts, and messages between Garrison and co-conspirators, the complaint says.

The messages also included one in which Garrison wrote, “Cheating is fun…I’m addicted to seeing money in my account…I’m obsessed with bypassing shit,” according to a court filing.

The images cited in the FBI affidavit were hosted on Imgur, a popular file-sharing website.

CNBC also found the same images on a website allegedly selling compromised accounts at DraftKings and Fanduel, among others.

ESPN previously reported that a cyberattack in November affected users of DraftKings and rival site Fanduel. Fanduel told CNBC that the attack had no significant impact: “Our security did its job.”

Garrison is charged with conspiracy to break into computers, unauthorized access to a protected computer for further fraud, unauthorized access to a protected computer, conspiracy to wire fraud, wire fraud and aggravated identity theft.

If convicted, he faces a maximum sentence of 20 years, but under federal guidelines he would probably be serving a much shorter time.

Chris Cylke, senior vice president of government relations at the American Gaming Association, an industry group: “The legal gaming industry is working hard to provide consumers with safe, regulated access to wagering.”

“Today’s news underscores the importance of holding fraudsters and other criminals accountable for law enforcement at all levels,” Cylke said.

– CNBC’s Rohan Goswami contributed to this report.