Man Steals $600K in Sports Betting Website Hack
A Wisconsin man, age 18, is accused of breaking into a fantasy sports and gambling website and taking hundreds of thousands of dollars from users’ individual accounts. Additionally, the FBI claims that the suspect boasted about how much he enjoyed it.
The FBI claims that Joesph Garrison, a resident of Madison, Wisconsin, not only gained access to tens of thousands of individual accounts but also sold access to them along with instructions on how to empty the accounts of the money they contained.
If found guilty of the online criminal conspiracy, Garrison could spend up to fifty years in jail.
The advanced hacking technique employed to carry out the attack, according to the FBI, is called “credential stuffing.“
Authorities claim that at the end of November 2022, Garrison launched the credential stuffing attack on an ‘unnamed’ sports betting website, which is when the entire operation allegedly got underway.
Credential stuffing is the practice of obtaining stolen credentials from past data breaches, such as username/password pairs that are frequently offered for sale on the dark web.
According to police, Garrison tried to enter into corresponding accounts on the sports betting website using the stolen credentials in an attempt to gain unauthorized access.
According to the FBI, Garrison was able to hack into about 60,000 accounts on the betting website together with a number of other suspects, some of whom are still at large. The hacker might occasionally attempt to add a new payment method to an account. The hackers would then be able to withdraw all of the money from that account if the payment method was verified.
Our Readers ALSO READFeds shut down 13 further DDoS-for-Hire services
According to the FBI, the gang used this technique to remove almost $600,000 from accounts belonging to over 1,600 victims. The FBI investigated the suspect’s home in February after the gambling website eventually spotted a lot of login attempts.
During the investigation, the FBI uncovered more than 700 individual ‘config files’ that were utilized to target various corporate websites for credential stuffing attacks.
Additionally, law enforcement discovered a staggering number of over 40 million username and password pairs stored on Garrison’s computer.
Furthermore, valuable evidence was extracted from the suspect’s cell phone, revealing conversations with co-conspirators discussing hacking methods, profit motives, and plans to steal from targeted sites and victim accounts.
The phone messages obtained by the FBI included Garrison’s remarks about his perceived success in credential-stuffing attacks, his enjoyment of such activities, and his belief that he would remain undetected.
One of the partial messages disclosed by the FBI simply expressed Garrison’s sentiments: “Fraud is fun… I find it addictive to see money in my account… I’m completely obsessed with bypassing security measures.”
Ultimately, 18-year-old Garrison is being charged with six counts in a criminal complaint, including aggravated identity theft, accessing a protected computer without authorization, conspiracy to commit wire fraud, and conspiracy to commit computer intrusions.
Garrison learned that you shouldn’t bet on getting away with fraud
Damian Williams, US Attorney General of New York.
Following an investigation by the New York Attorney General’s office and the New York FBI field office, the suspect turned himself into the US Southern District Court of New York on May 18.