Teenage hacker Joseph Garrison has been charged with six federal crimes for his role in a credential-stuffing attack on DraftKings customers.
The FBI has accused Garrison of working with other hackers to drain funds from the accounts of thousands of unsuspecting customers.
DraftKings was not named in the court filing, but the company later confirmed the news in a release.
“We worked with law enforcement in catching the alleged bad actor(s), and we want to thank the Department of Justice, including the FBI and U.S. Attorney, Southern District of New York, for their prompt and effective action,” said the Boston-based company.
DraftKings reiterated that its own security systems were not compromised. Hackers stole passwords and personal details from other sites, and used them to attack DraftKings.
Anyone that used the same passwords for DraftKings and the compromised sites was left vulnerable.
In the end, the hackers stole $600,000 from 1,600 DraftKings accounts, but the company quickly made them whole. It underscores the need to create unique passwords when signing up with online sportsbooks.
“When the identified credential stuffing incident occurred in November 2022, DraftKings provided notice to customers in relevant jurisdictions and restored amounts for a limited number of users who may have had funds improperly withdrawn from their accounts,” said the company in a statement.
Garrison, an 18-year-old from Wisconsin, was charged with conspiracy to commit computer intrusions, two counts of computer fraud, wire fraud, wire fraud conspiracy and aggravated identity theft.