February 21, 2024

In this photo illustration, the logo of American daily fantasy sports and sportsbook company DraftKings is displayed on a smartphone screen.

Chukrut | Light Rocket | Getty Images

federal prosecutor Criminal charges were announced Thursday against an 18-year-old Wisconsin man for planning to to crack and sell access to user accounts on sports betting sites draft king.

The man, Joseph Garrison, is accused of cooperating in the November 2022 attacks that stole about 600,000 people from about 1,600 victim accounts, according to the U.S. Attorney’s Office in Manhattan. Ten thousand U.S. dollars.

DraftKings did not appear in the criminal complaint against Garrison. But a person close to the company said it was the target of a so-called credential stuffing attack. DraftKings later confirmed this.

In a statement to CNBC, DraftKings said: “The safety and security of our customers’ personal and payment information is of the utmost importance to DraftKings. We have worked with law enforcement to catch alleged bad actors, and we would like to thank the Department of Justice , including the FBI and the U.S. Attorney for the Southern District of New York, thank them for their swift and effective action.”

The company said it recovered funds for a “limited number of users” affected by the breach.

Law enforcement raided Garrison’s Wisconsin home on Feb. 23 and recovered his computer and cell phone, the indictment said.

On the devices, investigators found credential stuffers, photos illustrating how stolen user credentials were used to steal money from victim accounts, and messages between Garrison and co-conspirators, the indictment said.

Those messages included Garrison writing, “Fraud is fun…I’m obsessed with seeing the money in my account…I’m like obsessed with getting around s—,” according to a court filing.

The images cited in the FBI affidavit were hosted on the popular file-sharing website Imgur.

CNBC also found the same image on a website that allegedly sold stolen accounts on sites like DraftKings and FanDuel.

ESPN previously reported that, cyber attacks in november Affected users of DraftKings and rival site FanDuel. FanDuel told CNBC it was not materially affected by the attack: “Our security work is done.”

Garrison is charged with conspiracy to commit computer intrusion, unauthorized access to a protected computer to further commit fraud, unauthorized access to a protected computer, conspiracy to commit wire fraud, wire fraud and aggravated identity theft.

If convicted, he faces up to 20 years in prison, though his sentence could be significantly shorter under federal guidelines.

“The legal gaming industry is working hard to provide consumers with access to safe, regulated gambling,” Chris Cylke, senior vice president of government relations for the American Gaming Association, an industry group, told CNBC.

“Today’s news underscores the importance of law enforcement at all levels holding fraudsters and other criminals accountable,” Cylke said.

– CNBC Rohan Goswami contributed to this report.