In this photo illustration, the American daily fantasy sports contest and sports betting company DraftKings logo is displayed on a smartphone screen.
Budrul Chukrut | Lightrocket | Getty Images
Federal prosecutors on Thursday announced criminal charges against an 18-year-old Wisconsin man for a scheme to hack and sell access to user accounts of the sports betting site DraftKings.
The man, Joseph Garrison, is accused of working with others to steal about $600,000 from approximately 1,600 victim accounts during the November 2022 attack, according to the U.S. Attorney’s Office in Manhattan.
DraftKings is not named in the criminal complaint against Garrison. But a person close to the company confirmed it was a target of the so-called credential stuffing attack.
Law enforcement authorities searched Garrison’s home in Wisconsin on Feb. 23, and recovered his computer and cellphone, according to the complaint.
On those devices, investigators found credential stuffing programs, instruction photos on how to use stolen user credentials to steal money from victim accounts, and messages between Garrison and co-conspirators, the complaint said.
The messages included ones where Garrison wrote, “fraud is fun . . . im addicted to see money in my account . . . im like obsessed with bypassing s—,” according to a court filing.
The images cited in the FBI affidavit were hosted on Imgur, a popular file-sharing website.
CNBC also found the same images on a website that purportedly sells compromised accounts on DraftKings and Fanduel, among others.
ESPN previously reported that a cyberattack in November affected users of DraftKings and rival site Fanduel. Fanduel told CNBC it wasn’t materially impacted by the attack: “Our security did its job.”
Garrison is charged with conspiracy to commit computer intrusions, unauthorized access to a protected computer to further intended fraud, unauthorized access to a protected computer, wire fraud conspiracy, wire fraud and aggravated identity theft.
He faces a maximum possible prison sentence of 20 years if convicted, but would likely get significantly less time under federal guidelines.
Chris Cylke, senior vice president for government relations at The American Gaming Association, an industry group, “The legal gaming industry is working hard to provide consumers with safe, regulated access to betting.”
“Today’s news reinforces the importance for law enforcement at all levels to hold fraudsters and other criminals accountable,” Cylke said.
–CNBC’s Rohan Goswami contributed to this report.
This story originally appeared on CNBC