FBI: man steals $600k in sports betting website hack

An 18-year-old Wisconsin man has been charged with hacking into a fantasy sports and betting website and stealing hundreds of thousands of dollars from individual account holders who use the site. What’s more, the suspect boasted about how much he enjoyed it, according to the FBI.

The FBI says the man, Joesph Garrison of Madison, Wisconsin, not only hacked into thousands of individual accounts but sold access to them, including instructions on how to drain the accounts of the funds inside them.

In total, Garrison is facing a maximum of fifty years in prison if convicted of the online criminal conspiracy.

The FBI said the sophisticated hacking method used to carry out the attack is known as “credential stuffing.”

Authorities say the entire operation began around late November 2022, when Garrison launched the credential stuffing attack on an ‘unnamed’ sports betting website.

Credential stuffing is when a hacker obtains stolen credentials, such as usernames and password pairs from previous data breaches, often available for sale on the dark web.

Garrison attempted to use the stolen credentials to try and log into matching accounts on the sports betting website to gain unauthorized access, investigators said.

The FBI says Garrison, along with several other suspects – some still unknown – were able to hack into roughly 60,000 accounts on the betting site.

In some cases, the hackers would try to add a new payment method to an account.

If the payment method was verified, the hackers would then be able to withdraw all the funds in that account.

The FBI said the gang was able to withdraw roughly $600,000 from approximately 1,600 victim accounts using this method.

The betting website eventually noticed a large number of login attempts and alerted the FBI, who searched the suspects house this past February.

During the search, the FBI found over 700 individual ‘config files’ – used to target a website for credential stuffing attacks – associated with dozens of different corporate websites.

In addition, law enforcement found over 40 million username and password pairs on Garrison’s computer.

The suspects cell phone also provided a treasure trove of evidence.

The FBI said conversations about how to hack, profit and steal from the site and victim accounts were exchanged with other co-conspirators.

The phone messages included comments made by Garrison about how successful he thought he was at credential stuffing attacks, how much he enjoyed it, and how he believed he would not get caught.

One of Garrison’s partial messages released by the FBI simply stated: “fraud is fun . . . im addicted to see money in my account . . . im like obsessed with bypassing shit.”

In the end, 18-year-old Garrison is being charged with a six-count criminal complaint, including conspiracy to commit computer intrusions, unauthorized access to a protected computer, wire fraud and conspiracy, and aggravated identity theft.

“Garrison learned that you shouldn’t bet on getting away with fraud,” said New York’s US Attorney General Damian Williams.

The suspect turned himself into the US Southern District Court of New York on May 18 after an investigation by the New York’s Attorney General and New York FBI field office.