The U.S. Department of Justice has taken action against two individuals involved in the hacking of almost 68,000 DraftKings accounts during a credential stuffing attack in November 2022. Nathan Austad (known as Snoopy) and Joseph Garrison faced charges for exploiting stolen credentials from previous breaches to compromise DraftKings accounts. The attackers allegedly sold access to these hacked accounts, resulting in the theft of approximately $635,000 from around 1,600 compromised accounts. This operation, marked by its sophistication, included the sale of accounts individually and in bulk, with the attackers devising a method for buyers to withdraw all available funds.
According to court documents, Garrison ran the “Goat Shop” website, where stolen DraftKings and FanDuel accounts were sold, generating over $2 million in revenue. The charges also shed light on an elaborate method employed by the attackers, instructing buyers to add a new payment method, deposit $5, and then withdraw existing funds to a separate account under their control. The investigation revealed evidence from seized devices, including discussions about the attack and tools such as OpenBullet and SilverBullet used for credential stuffing.
