Teen hacker charged in scheme to siphon funds from sports betting accounts

An 18-year-old man is facing criminal charges for allegedly hacking into and selling access to tens of thousands of online sports betting accounts.

Federal prosecutors announced the charges on Thursday against Joseph Garrison of Madison, Wisconsin, who is accused of masterminding the credential stuffing scheme. Beginning in November 2022, Garrison purchased large batches of stolen username and password credentials being sold on the darknet, according to a criminal complaint.

He then allegedly used the login information to systematically try to access accounts on the sports betting platform. The name of the site isn’t given in the complaint but CNBC identified it as DraftKings, citing an anonymous source close to the company. That access was then sold on various websites, the complaint says, along with instructions for the buyer on how to siphon funds from the accounts.

“As alleged, Garrison attained unauthorized access to victim accounts using a sophisticated cyber-breaching attack to steal hundreds of thousands of dollars,” said FBI Assistant Director in Charge Michael J. Driscoll. “Cyber intrusions aiming to steal private individuals’ funds represent a serious risk to our economic security.”

In all, approximately 60,000 accounts were accessed in the scheme, and $600,000 was stolen from 1,600 accounts allegedly sold by Garrison and his co-conspirators.

At one point, representatives of the gambling site purchased stolen credentials to investigate the hack, after which they were sent instructions on how to steal funds. They were able to link a photo of a victim account included in the instructions to the IP address used when the account was tapped of its funds. Law enforcement also purchased credentials and were able to link an IP address connected to the instructions to Garrison.

On February 23, law enforcement executed a search warrant at Garrison’s family home, confiscating his computer and cell phone. On it were allegedly two programs used in credential stuffing attacks — OpenBullet and SilverBullet, which run customizable scripts on websites using a list of username and password combinations, of which they found more than 38 million. Investigators also allegedly found scripts for use on dozens of other companies.

Also seized were logs of chats between Garrison and alleged co-conspirators, in which the defendant boasted that “fraud is fun.”

“im addicted to see money in my account [sic],” he allegedly wrote. “idk it ruined my life personally,” an anonymous co-conspirator responded. “u already under enough heat.”

That “heat” may have been from Garrison’s previous interactions with law enforcement. In June 2022, he was questioned by Wisconsin police and admitted to running a website called “Goat Shop,” which sold access to hacked accounts. He claimed to have made about $800,000 from the site but had ceased his involvement in the cyber underworld.

Less than a year later, Garrison is charged with conspiracy to commit computer intrusions; unauthorized access to a protected computer to further intended fraud; unauthorized access to a protected computer; wire fraud conspiracy and wire fraud; and aggravated identity theft. The two most serious charges each carry a maximum of 20 years in prison.