Teen Hacker Pleads Guilty to Stealing $600,000 from DraftKings Customers

Joseph Garrison, 19, admitted to accessing approximately 60,000 accounts using stolen credentials in a 'credential stuffing attack'.

Joseph Garrison, a 19-year-old from Wisconsin, pleaded guilty to conspiracy in connection with a scheme to hack user accounts at the DraftKings fantasy sports betting website and steal about $600,000 from its customers.
Garrison and his co-conspirators successfully accessed approximately 60,000 accounts at the betting website using a 'credential stuffing attack', a method where hackers use stolen user credentials obtained from past data breaches to gain authorized access to user accounts.
In some instances, the hackers were able to add a new payment method to the accounts, and after depositing $5 through the new method to verify it was authentic, were able to drain the accounts of all the existing funds. About 1,600 DraftKings accounts were drained in the hack.
When federal authorities raided Garrison's home in Madison in February, they located programs typically used for credential stuffing attacks, as well as files containing nearly 40 million username and password pairs on his computer.
Garrison, who has been free on $100,000 bond since his arrest in May, is scheduled to be sentenced in Manhattan federal court on Jan. 16. He faces a maximum possible sentence of five years in prison on the charge of conspiring to commit computer intrusion.