The Southern District of New York has charged a man with six counts related to an alleged hacking of DraftKings player accounts, in which 60,000 accounts were compromised.
The complaint alleges that Joseph Garrison unlawfully accessed DraftKings accounts in November 2022 by launching a “credential stuffing attack”, which inputs stolen credentials – such as usernames and passwords – into login pages for other services.
The indictment states that Garrison gained access to an estimated 60,000 DraftKings player accounts by doing this.
Garrison then allegedly sold access to these compromised accounts on several illegal websites, after which buyers withdrew around $600,000 from 1,600 of the compromised accounts.
After Garrison was traced by law enforcement, a search took place on his home, in which credential stuffing software and messages between him and co-conspirators were uncovered.
Garrison was charged with conspiracy to commit computer intrusion, two counts of computer fraud, conspiracy to commit wire fraud, wire fraud and aggravated identify theft.
A warrant has been issued for Garrison’s arrest.
In November 2022, DraftKings made a statement confirming that approximately $300,000 in customer funds has been affected by a mass hacking.