Wisconsin Man Sentenced To Prison For Hacking Fantasy Sports And Betting Website

Damian Williams, the United States Attorney for the Southern District of New York, announced today that JOSEPH GARRISON was sentenced to 18 months in prison for his role in a scheme to hack user accounts on a fantasy sports and betting website (the “Betting Website”) and sell access to those accounts, resulting in losses of hundreds of thousands of dollars to the users.  GARRISON was sentenced today before U.S. District Judge Lewis A. Kaplan.  On November 15, 2023, GARRISON pled guilty to one count of conspiring to commit computer intrusion.

U.S. Attorney Damian Williams said: “Joseph Garrison and his co-conspirators orchestrated a bold credential stuffing attack – collecting stolen usernames and password pairs from other large-scale data breaches – by exploiting vulnerabilities to siphon approximately $600,000 from unsuspecting victims.  Such attacks not only breach personal security but erode trust in online platforms.  Today’s sentencing underscores the urgent need for vigilance and the critical importance of our collective efforts in combatting cyber threats and safeguarding digital integrity.” 

According to the charging documents and other filings and statements made in court:

On or about November 18, 2022, GARRISON launched a “credential stuffing attack” on the Betting Website.  During a credential stuffing attack, a cyber threat actor collects stolen credentials, or username and password pairs, obtained from other large-scale data breaches, which can be purchased on the dark web.  The threat actor then systematically attempts to use those stolen credentials to obtain unauthorized access to accounts held by the same user with other companies and providers in order to compromise accounts where the user has maintained the same password.  Here, in connection with the attack on the Betting Website, there was a series of attempts to log into the Betting Website accounts using a large list of stolen credentials.

GARRISON and others successfully accessed approximately 60,000 accounts on the Betting Website (the “Victim Accounts”) through the credential stuffing attack.  In some instances, the individuals who unlawfully accessed the Victim Accounts were able to add a new payment method on the account, deposit $5 into that account through the new payment method to verify that method, and then withdraw all the existing funds in the Victim Account through the new payment method (i.e., to a newly added financial account belonging to the hacker), thus stealing the funds in the Victim Accounts.  Using this method, GARRISON and others stole approximately $600,000 from approximately 1,600 Victim Accounts on the Betting Website.

Law enforcement executed a search on GARRISON’s home in February 2023.  In that search, they located programs typically used for credential stuffing attacks.  Those programs require individualized “config” files for a target website to launch credential stuffing attacks, and law enforcement located approximately 700 such config files for dozens of different corporate websites on GARRISON’s computer.  Law enforcement also located files containing nearly 40 million username and password pairs on GARRISON’s computer, which are also used in credential stuffing attacks.

On GARRISON’s cellphone, law enforcement also located conversations between GARRISON and his co-conspirators, including discussions about how to hack the Betting Website and how to profit from the hack of the Betting Website by extracting funds from the Victim Accounts directly or by selling access to the Victim Accounts.  In one particular conversation, GARRISON discussed, in substance and in part, how successful he was at credential stuffing attacks, how much he enjoyed credential stuffing attacks, and how GARRISON believed that law enforcement would not catch or prosecute him.  Specifically, GARRISON messaged the following, in substance and in part: “fraud is fun . . . im addicted to see money in my account . . . im like obsessed with bypassing shit.”

*                *                *

In addition to the prison term, GARRISON, 19, of Madison, Wisconsin, was sentenced to 3 years of supervised release and ordered to pay $175,019.11 in forfeiture and $1,327,061 in restitution.

Mr. Williams praised the outstanding work of the Federal Bureau of Investigation.  Mr. Williams also thanked the New York City Police Department for its assistance in the investigation.

The case is being prosecuted by the Office’s Complex Frauds and Cybercrime Unit.  Assistant U.S. Attorneys Kevin Mead and Micah Fergenson are in charge of the prosecution.