MADISON, Wis. (WFRV) – An 18-year-old Wisconsin man has been charged for allegedly hacking into accounts on a fantasy sports and betting website and selling access to those accounts in order to steal hundreds of thousands of dollars.

Joseph Garrison of Madison, Wisconsin surrendered to authorities in New York Thursday morning for his role in the alleged cyber attack.

According to the U.S. Attorney’s Office, Southern District of New York, on or about November 18, 2022, Garrison launched a “credential stuffing attack” on the betting website. During a credential stuffing attack, a cyber threat actor collects stolen credentials, or username and password pairs, obtained from other large-scale data breaches of other companies, which can be purchased from the dark web.

The threat actor then systematically attempts to use those stolen credentials to obtain unauthorized access to accounts held by the same user with other companies and providers in order to compromise accounts where the user has maintained the same password.

Here, in connection with the attack on the betting website, there was a series of attempts to log into the betting website accounts using a large list of stolen credentials.

The criminal complaint states Garrison and others successfully accessed around 60,000 accounts at the betting website through the credential stuffing attack. In some instances, Garrison unlawfully accessed the victim accounts and added a new payment method on the account. He then allegedly deposited $5 into that account through the new payment method to verify that method, then withdrew all the existing funds from the victim accounts.

Using this method, Garrison allegedly stole around $600,000 from around 1,600 victim accounts.

Law enforcement executed a search warrant on Garrison’s house in February 2023 and in that search, they located programs typically used during credential stuffing attacks.

Those programs require individualized “config” files for a target website to launch credential stuffing attacks, and law enforcement located around 700 such config files for dozens of corporate websites on Garrison’s computer.

Additionally, Garrison allegedly had files of nearly 40 million username and password pairs, which are also used in credential stuffing attacks.

While searching his cell phone, law enforcement located conversations between Garrison and his co-conspirators, which included discussions about how to hack the betting website and how to profit from the hack of the betting website by extracting funds from the victim accounts directly or by selling access to victim accounts.

In one particular conversation, officials say Garrison discussed how successful he was at credential stuffing attacks and how much he enjoyed credential stuffing attacks. He also explained how he believed law enforcement would not catch or prosecute him.

fraud is fun . . . im addicted to see money in my account . . . im like obsessed with bypassing s***.

Text message from Garrison’s phone

Garrison is being charged with the following:

  • Conspiracy to Commit Computer Intrusions
    • Up to five years in prison
  • Unauthorized Access to a Protected Computer to Further Intended Fraud
    • Up to five years in prison
  • Unauthorized Access to a Protected Computer
    • Up to five years in prison
  • Wire Fraud Conspiracy
    • Up to 20 years in prison
  • Wire Fraud
    • Up to 20 years in prison
  • Aggravated Identity Theft
    • Minimum of two years in prison

“As alleged, Garrison used a credential stuffing attack to hack into the accounts of tens of thousands of victims and steal hundreds of thousands of dollars. Today, thanks to the work of my Office and the FBI, Garrison learned that you shouldn’t bet on getting away with fraud,” said U.S. Attorney Damian Williams.

Williams praised the outstanding work of the FBI. Williams also thanked the United States Attorney’s Office for the Western District of Wisconsin for their assistance in the investigation.

The case is being prosecuted by the Office’s Complex Frauds and Cybercrime Unit.