A six-count criminal complaint has been unsealed against a Wisconsin man who was allegedly part of a plot to hack user accounts on a fantasy sports and betting website and sell access to the hacked accounts in order to steal from them.
The man charged in the case, Joseph Garrison, 18, surrendered Thurssday in New York City, the United State’s Attorney’s Office for the Southern District of New York said in a statement. Garrison has been charged with conspiracy to commit computer intrusions, unauthorized access to a protected computer, unauthorized access to a protected computer to further intended fraud, wire fraud conspiracy, wire fraud, and aggravated identity theft.
According to the complaint, Garrison launched what’s called a “credential stuffing attack” on the unnamed betting website. During such an attack, the hacker collects stolen usernames and passwords, typically obtained from large-scale data breaches. Those credentials are then systemically used to access accounts.
Garrison and others, who the complaint does not name, allegedly accessed 60,000 accounts on the betting site in November 2022. In some cases, Garrison and the other parties were able to add a new payment method to the account, and then withdraw existing funds in the account and credit them to that payment method.
Using this method, Garrison and the others stole about $600,000 from 1,600 accounts.
Law enforcement began investigating the case after seeing stolen credentials from the betting site being sold online. Undercover officials purchased certain credentials, and an IP address found in the instructions for how to use the stolen logins was linked to Garrison.
Officials then searched Garrison’s home, according to the complaint, where they found programs and files establishing that Garrison accessed the betting site. There were nearly 40 million username and password pairs found on Garrison’s computer, as well as hundreds of configuration files for different corporate websites. They also found similar instructions about how to use stolen credentials to steal money and messages between Garrison and others involved in the scheme. In one message, referring to credential stuffing attacks, Garrison wrote “fraud is fun.”
The wire fraud charges each carry a maximum sentence of 20 years in prison, while the first three charges carry maximum sentences of five years apiece. The identity theft charge has a mandatory minimum sentence of two years in prison. The case will be prosecuted by the Southern District of New York’s Complex Frauds and Cybercrime Unit.
About five months before the sports betting site attack, Garrison admitted to the Madison, Wisconsin, police department that he had participated in previous credential stuffing attacks, the complaint said.