FBI: 1,600 DraftKings Accounts Drained Of $600,000 Last Year

Written By

Updated on


Multiple people conspired to steal $600,000 from 1,600 DraftKings accounts last year, according to a court document.

The document, first reported by CNBC, alleges 18-year-old Joseph Garrison worked with others in November 2022 to break into accounts of a sports betting and fantasy sports website. DraftKings was not named in the document but the company confirmed the news Thursday evening:

“The safety and security of our customers’ personal and payment information is of paramount importance to DraftKings. We worked with law enforcement in catching the alleged bad actor(s), and we want to thank the Department of Justice, including the FBI and U.S. Attorney, Southern District of New York, for their prompt and effective action. 

“As we stated previously, bad actor(s) were able [to] use login credentials obtained from a third-party source to gain access to certain user accounts. When the identified credential stuffing incident occurred in November 2022, DraftKings provided notice to customers in relevant jurisdictions and restored amounts for a limited number of users who may have had funds improperly withdrawn from their accounts.

– Draftkings statement

A DraftKings filing from December reported the attack included 68,000 accounts and $300,000 in stolen funds.

Details of DraftKings attack

Garrison and others worked together to gain information on the accounts and then sell those accounts on the dark web, according to the findings of FBI Special Agent Michael Gassert.

Garrison distributed photos of how to withdraw funds from the stolen accounts. The process included the buyers entering their own phone number into an account to enable two-factor authentication, depositing a small amount to verify a bank account and then withdrawing funds to that same account.

Both DraftKings and undercover agents bought account information related to the attack.

This was not Garrison’s first rodeo. He previously ran a website that sold stolen accounts and made $800,000 between 2018 and 2021.

Hacker faces six charges

Garrison is being charged with six federal crimes:

DraftKings not only target of cyberattacks

There have been multiple other cyberattacks affecting US sports betting brands over the past year.

FanDuel was also attacked in the November attack, ESPN reported. The company was reportedly not materially impacted, though, telling CNBC: “Our security did its job.”

Fraudulent poker accounts were being set up in the name of prominent poker players in November as well, with some of those accounts being opened with BetMGM, ESPN reported.

Just last week, a hack of a third-party provider of PointsBet led to a fraudulent email sent to customers saying PointsBet would double whatever the customer sent them in cryptocurrency.