Damian Williams, the United States Attorney for the Southern District of New York, and Michael J. Driscoll, the Assistant Director in Charge of the New York Field Office of the Federal Bureau of Investigation (“FBI”), announced the unsealing of a six-count criminal Complaint charging JOSEPH GARRISON in connection with a scheme to hack user accounts at a fantasy sports and betting website (the “Betting Website”) and sell access to those accounts in order to steal hundreds of thousands of dollars from them. GARRISON surrendered this morning in New York, New York, and will be presented this afternoon before United States Magistrate Judge James L. Cott.
U.S. Attorney Damian Williams said: “As alleged, Garrison used a credential stuffing attack to hack into the accounts of tens of thousands of victims and steal hundreds of thousands of dollars. Today, thanks to the work of my Office and the FBI, Garrison learned that you shouldn’t bet on getting away with fraud.”
FBI Assistant Director in Charge Michael J. Driscoll said: “As alleged, Garrison attained unauthorized access to victim accounts using a sophisticated cyber-breaching attack to steal hundreds of thousands of dollars. Cyber intrusions aiming to steal private individuals’ funds represent a serious risk to our economic security. Combatting cyberattacks and holding the responsible threat actors accountable in the criminal justice system remains a top priority for the FBI.”
As alleged in the Complaint:
On or about November 18, 2022, GARRISON launched a “credential stuffing attack” on the Betting Website. During a credential stuffing attack, a cyber threat actor collects stolen credentials, or username and password pairs, obtained from other large-scale data breaches of other companies, which can be purchased on the dark web. The threat actor then systematically attempts to use those stolen credentials to obtain unauthorized access to accounts held by the same user with other companies and providers in order to compromise accounts where the user has maintained the same password. Here, in connection with the attack on the Betting Website, there was a series of attempts to log into the Betting Website accounts using a large list of stolen credentials.
GARRISON and others successfully accessed approximately 60,000 accounts at the Betting Website (the “Victim Accounts”) through the credential stuffing attack. In some instances, the individuals who unlawfully accessed the Victim Accounts were able to add a new payment method on the account, deposit $5 into that account through the new payment method to verify that method, and then withdraw all the existing funds in the Victim Account through the new payment method (i.e., to a newly added financial account belonging to the hacker), thus stealing the funds in the Victim Account. Using this method, GARRISON and others stole approximately $600,000 from approximately 1,600 Victim Accounts.
Law enforcement executed a search on GARRISON’s home in February 2023. In that search, they located programs typically used for credential stuffing attacks. Those programs require individualized “config” files for a target website to launch credential stuffing attacks, and law enforcement located approximately 700 such config files for dozens of different corporate websites on GARRISON’s computer. Law enforcement also located files containing nearly 40 million username and password pairs on GARRISON’s computer, which are also used in credential stuffing attacks.
On GARRISON’s cellphone, law enforcement also located conversations between GARRISON and his co-conspirators, which included discussions about how to hack the Betting Website and how to profit from the hack of the Betting Website by extracting funds from the Victim Accounts directly or by selling access to the Victim Accounts. In one particular conversation, GARRISON discussed, in substance and in part, how successful he was at credential stuffing attacks, how much he enjoyed credential stuffing attacks, and how GARRISON believed that law enforcement would not catch or prosecute him. Specifically, GARRISON messaged the following, in substance and in part: “fraud is fun . . . im addicted to see money in my account . . . im like obsessed with bypassing shit.”
* * *
GARRISON, 18, of Madison, Wisconsin, is charged with conspiracy to commit computer intrusions, which carries a maximum sentence of five years in prison; unauthorized access to a protected computer to further intended fraud, which carries a maximum sentence of five years in prison; unauthorized access to a protected computer, which carries a maximum sentence of five years in prison; wire fraud conspiracy, which carries a maximum sentence of 20 years in prison; wire fraud, which carries a maximum sentence of 20 years in prison; and aggravated identity theft, which carries a mandatory minimum sentence of two years in prison.
The minimum and maximum potential sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by a judge.
Mr. Williams praised the outstanding work of the FBI. Mr. Williams also thanked the United States Attorney’s Office for the Western District of Wisconsin for their assistance in the investigation.
The case is being prosecuted by the Office’s Complex Frauds and Cybercrime Unit. Assistant U.S. Attorneys Kevin Mead and Micah Fergenson are in charge of the prosecution.
The charges contained in the Complaint are merely accusations, and the defendant is presumed innocent unless and until proven guilty.
 As the introductory phrase signifies, the entirety of the text of the Complaint and the description of the Complaint set forth herein constitute only allegations, and every fact described should be treated as an allegation.