A 19-year-old man from Madison, Wisconsin, has pleaded guilty to conspiracy to commit computer intrusion.
Joseph Garrison, along with his co-conspirators, orchestrated a scheme to hack user accounts at a fantasy sports and betting website, the U.S. Attorney’s Office, Southern District of New York said in a Wednesday (Nov. 15) press release.
Their motive was to gain unauthorized access to these accounts and sell access to steal funds from them, according to the release. The successful attack resulted in the theft of approximately $600,000 from around 1,600 victim accounts.
On Nov. 18, 2022, Garrison initiated a “credential stuffing attack” on the website, the release said. This type of cyber threat involves collecting stolen credentials and using them to gain unauthorized access to accounts held by the same users across various platforms.
In this case, Garrison and others accessed approximately 60,000 accounts on the website, per the release. In some cases, hackers added a new payment method to the compromised accounts, deposited a small amount of money, and then withdrew all existing funds through the newly added payment method.
Law enforcement authorities executed a search warrant at Garrison’s residence in February, according to the press release. Programs commonly used for credential stuffing attacks were found on his computer, along with around 700 “config” files for different corporate websites. These files are essential for launching targeted credential stuffing attacks.
Additionally, law enforcement discovered nearly 40 million username and password pairs, which are typically utilized in such attacks, the release said. Conversations retrieved from Garrison’s cellphone further revealed discussions about hacking the website and profiting from the stolen accounts.
As a result of his guilty plea, Garrison now faces a maximum sentence of five years in prison, per the release. The sentencing is scheduled to be determined by U.S. District Judge Lewis A. Kaplan on Jan. 16.
PYMNTS Intelligence has found that credential stuffing is one of the high-tech methods that can be wielded by bad actors and automated via artificial intelligence and machine learning to conduct thousands of attacks every hour.