Two more individuals have been charged with involvement in the DraftKings user accounts hacking scheme following an FBI investigation.

Yesterday (29 Jan), the Southern District of New York charged two individuals, Nathan Austad and Kamerin Stokes, in connection with a previously detailed scheme to hack into DraftKings accounts.

As outlined in the unsealed criminal complaint, the plan involved an 18 November “credential stuffing attack”, which ultimately saw $600,000 stolen from 1,600 accounts. The two face a maximum of 57 years in prison for the offences.

The scheme saw Austad and the already charged Joseph Garrison collect username password pairs obtained in data breaches and made available for sale on the dark web.

The individuals then systemically applied the stolen credentials on DraftKings to obtain access. This was followed by attempts to sell access into the compromised accounts or directly steal the deposited money.

“As alleged, Nathan Austad and Kamerin Stokes were involved a scheme to hack into the accounts of tens of thousands of victims and then to sell access to those stolen accounts online,” said SDNY US attorney Damian Williams.

“Our office is relentless in tracking down the perpetrators of cybercrime. Earlier this month, we announced an SDNY Whistleblower Pilot Program to encourage early and voluntary self-disclosure of criminal activity. To all cybercriminals: call us before we call you.”

60,000 DraftKings account compromised

Through this “credential stuffing” method, Austad and Garrison successfully accessed 60,000 DraftKings accounts.

Once inside they were able to steal funds stored in the accounts. This was done by adding a new payment method and depositing $5 to verify, which allegedly enabled the individuals to withdraw funds using the newly added method.

Prosecutors said access to the accounts was sold on several websites that traffic stolen accounts, colloquially known as ‘shops’.

Austad and Garrison sold some accounts on shops they directly controlled, including Austad’s shop named after comic strip character Snoopy.

The two then sold the details to the comprised accounts in bulk. Stokes was charged with purchasing a bulk order from the two with the intent to sell on account details from his own shop.

“Everyone knows their committing fraud”

Around 2 December, Austad messaged his co-conspirators about the existence of the FBI investigation into the fraud.  

“everyone 3hould’ve been prepared for this before cashing out lol,” he wrote.

“lol fbi can’t do shit,” replied an unnamed user.

“like we I know the risk when we started lol . . . everyone knows their [sic] committing fraud,” added Austad in May 2023.

Prosecutors also detailed how Austad used AI tools to generate images using the following prompts:

“8k hyper-realistic digital art snoopy hacking into 8k hyper-realistic computer with hacker stuff on the screen,” “8k hyper realistic snoopy designed jet but instead of smoke trails it has money trails,” and, “100 bill hyper realistic but instead of the president its snoopy.”

Garrison pleaded guilty on November 15 2023. His sentencing is scheduled for 1 February in front of US district judge Lewis A. Kaplan.

“Cyberattacks are growing increasingly more sophisticated, targeting all manner of businesses and posing a great risk to economic security,” said FBI assistant director in charge James Smith.

“Nathan Austad and Kamerin Stokes were allegedly part of a cyber intrusion that resulted in hundreds of thousands of dollars being stolen from victims’ accounts. As these defendants found out, if you conduct a cyberattack for profit, you can bet the FBI can and will bring you to justice.”

The US Department of Justice (DoJ) has announced a campaign to disrupt the activities of the BlackCat ransomware group responsible for the cyberattack on MGM Resorts.

The strategy involves the implementation of a decryption tool developed by the FBI to restore hacked systems, alongside cooperation with international law enforcement bodies and a campaign to seize control of the BlackCat computer systems and sites.

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” said deputy attorney general Lisa O. Monaco.

Monaco also highlighted the successful rollout of the FBI’s tool and committed the DoJ to continued action against the hackers.

Sometimes going by the name ALPHV, in September the group caused chaos at MGM properties in a major breach that compromised operations including hotel room access, slot machines and booking systems.

In the aftermath of the attack, MGM said it expected the incident to result in a $100m hit to EBITDA.

While MGM’s Las Vegas Strip rival Caesars Entertainment also had systems compromised by the group, it found itself less affected after it paid a substantial portion of the hacker’s ransom.

In a search warrant unsealed today in the Southern District of Florida, the FBI claimed they had accessed the BlackCat group’s computer network as part of the investigation and seized several websites operated by the hackers.

The warrant also details the global nature of the hacker’s activities, which includes compromising government, defence sector and emergency services systems.

The interagency work has seen the campaign collaborate with law enforcement bodies worldwide including Germany’s Bundeskriminalamt, the UK’s National Crime Agency, the US Secret Service and Europol.

“The FBI continues to be unrelenting in bringing cybercriminals to justice and determined in its efforts to defeat and disrupt ransomware campaigns targeting critical infrastructure, the private sector, and beyond,” said FBI deputy director Paul Abbate.

SEC updates cyberattack disclosure rules

This week also saw the SEC’s new rules for cyberattack disclosure go into effect.

Announced in July, companies are now required to disclosure material cybersecurity incidents, as well as provide an annual report on their risk management, strategy, and governance in this area.

First announced by the financial regulator in July, the SEC said foreign private issuers would also be expected to make similar disclosures.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC chair Gary Gensler.

“Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.

“Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

A recent UN anti-corruption conference flagged illegal betting as the primary catalyst for corruption within sports.

Last week’s Conference of the States Parties (CoSP10) in the US drew over 2,000 participants from governments, international bodies and various sectors, aiming to combat global corruption. 

James Porteous, research head of the Asian Racing Federation Council on Anti-Illegal Betting and Related Financial Crime, said that illegal betting is now the “number one factor fuelling corruption in sports,” pointing out that many existing regulations were drafted in the 19th century and are “not fit for the internet world.” 

$1.7tn wagered

According to the UN Office on Drugs and Crime (UNODC), up to $1.7tn is wagered on illegal betting markets controlled by organised crime each year.

Representatives from crime-fighting organisations at the conference also highlighted the magnitude of the issue. 

Humaid Al Ameemi, coordinator of Interpol’s anti-corruption unit, described match-fixing as a meticulously organised crime involving money laundering, and called for enhanced data sharing to combat it.

He said the manipulation of competitions is a “gateway to crime.”

Joseph Gillespie, FBI unit chief overseeing transnational threats, stressed the FBI’s commitment to addressing corruption in sport, as it enables organised crime to profit through activities like extortion and illegal betting.

To combat corruption, Interpol, UNODC, and the International Olympic Committee have created a guide for officials in criminal justice authorities and sports organisations, which equips them with practical tools to investigate and prevent match-fixing. 

The guide highlights that match-fixing has become a growing concern as corrupt individuals increasingly target athletes directly through social media platforms.

While acknowledging that match-fixing involves criminal acts beyond sports, including fraud and money laundering, it is viewed as an “attractive area to infiltrate because of the opportunity to make large profits with limited risk of detection and sanction as a result of a lack or non-uniformity of laws and regulations around the world.”

Investigating match-fixing

The report underscored that sports organisations alone cannot combat this issue effectively and emphasised the necessity of cooperation with law enforcement agencies and criminal justice authorities. 

“Effective and timely investigations play a crucial role in prevention strategies. At the same time, the failure to investigate or ineffective investigations can embolden would-be offenders,” the guide stressed. 

Football, as the world’s most popular sport with vast financial stakes, remains particularly susceptible to corruption. 

FIFA itself has faced accusations and scandals, notably in 2015 when several officials were arrested. 

FIFA President Gianni Infantino, addressing the conference via video message, stressed the significance of protecting football from corruption and ensuring fairness in sports.

“Football is a multi-billion dollar global industry which makes it a potential target for corruption and other kinds of criminal activity and that is something that we should avoid and combat to ensure that the playing field is always level,” he said.

Infantino highlighted the beneficial impact of the renewed Memorandum of Understanding between FIFA and UNODC, fostering over 60 anti-corruption projects. 

One of them, the Global Integrity Programme, targets match-fixing and involved training hundreds of football integrity officers and government officials. 

According to a report by Sportradar released earlier this year, less than 1% of monitored global sporting events show any signs of match-fixing.

Wisconsin resident Joseph Garrison, 19, faced charges in the Southern District of New York relating to a $600,000 hack into DraftKings user accounts.

Following an FBI investigation, Garrison pled guilty to conspiracy to commit computer intrusion before US magistrate judge Robert W. Lehrburger.

The crime carries a maximum penalty of five years in prison. Garrison is due to be sentenced by US district judge Lewis A. Kaplan on 16 January 2024.

“Joseph Garrison and his co-conspirators launched an online cyberattack, stealing approximately $600,000 from innocent victims’ accounts,” said the prosecutor, US attorney Damian Williams.   

“Garrison now stands convicted of a federal crime for targeting the accounts of victims making legitimate online wagers.”

Conspiracy to hack DraftKings accounts

According to charging documents, Garrison took part in a November 2022 “credential stuffing attack” to gain access to DraftKings user accounts.

This involved him taking usernames and passwords from data breaches, which can be bought on the dark web, then attempting to login in with the same details.

Since many individuals use the same password for multiple accounts, Garrison and his co-conspirators were able to gain access to approximately 60,000 DraftKings accounts using this method.

Once accounts were compromised, Garrison and the other involved individuals added a new payment method before depositing $5 to validate.

This enabled users to withdraw all existing funds via the new details. According to prosecutors, Garrison and the co-conspirators were able to steal $600,000 from around 1,600 victims using this approach.

In February 2023, police searched Garrison’s home, discovering the programmes needed to launch a credential stuffing attack.

These require individualised “config” files for a target website. The police said they found around 700 of these files for several corporate websites on Garrison’s computer.

The search also revealed close to 40 million username and password pairs on the computer, another component of a credit stuffing attack.

“Fraud is fun”

Prosecutors also told of how Garrison’s phone contained discussions between Garrison and his co-conspirators.

These involved conversations about hacking DraftKings, as well as ways to profit from the hack by either directly stealing funds or selling on the comprised accounts to another actor.

One conversation, specifically highlighted by prosecutors, saw Garrison brag about his skill and personal enjoyment he received from credential stuffing attacks.  

“fraud is fun . . . im addicted to see money in my account . . . im like obsessed with bypassing shit.”

The case news is just the latest reported hack in the US gaming industry, which has found itself targeted over the last year.

In October, it was revealed land-based and online gaming giant MGM Resorts had been the victim of a phishing hack. The hackers caused chaos over the following week until order was restored.

The company’s competitor on the Vegas Strip, Caesars Entertainment, also had its systems compromised by cyber actors, though the damage was less severe.

The FBI has released a statement confirming the perpetrators of the theft of $41m in cryptocurrency from Stake.com earlier this week.

According to the law enforcement agency, a group of cyber criminals operating from the Democratic People’s Republic of Korea (North Korea) called Lazarus Group was behind the attack.

The group, which is also known as APT38, is comprised of North Korean cyber actors, according to the FBI.

An investigation undertaken by the agency showed the group had stolen the funds associated with the Ethereum, Binance Smart Chain (BSC), and Polygon networks.

The FBI has published a list of the specific cryptocurrency addresses that funds were directed to on its website.

“The FBI will continue to expose and combat the DPRK’s use of illicit activities to generate revenue for the regime, including cybercrime and virtual currency theft.”

– Federal Bureau of Investigations

Lazarus Group has been “responsible for several other high-profile international virtual currency heists,” the FBI added.

In 2023 alone, cyber criminals in North Korea have stolen more than $200m worth of cryptocurrency, it said, including around $60m from Alphapo and CoinsPaid in July, and $100m from Atomic Wallet in June.

The US Department of Treasury’s Office of Foreign Assets Control (OFAC) previously sanctioned the Lazarus Group in 2019. 

The FBI further advised private sector entities to review previously issued cybersecurity advice and to be vigilant in guarding against transactions associated with certain addresses.

It also requested anyone with further information to contact their local FBI field office or the FBI’s Internet Crime Complaint Center.

“The FBI will continue to expose and combat the DPRK’s use of illicit activities to generate revenue for the regime, including cybercrime and virtual currency theft,” it concluded.

Stake response

In a post shared on Medium, Stake co-founder Ed Craven sought to reassure the operator’s users following the attack.

In the post, Craven shared Stake’s preliminary findings on the matter but stressed that investigations are still ongoing.

“Within 20 minutes of the unauthorised transactions occurring, the incident was spotted and reported internally,” he wrote.

The source of the unauthorised activity was identified and containment measures implemented within four hours, he added, before reassuring customers that their personal data remains secure.

Critically, Craven added: “At no stage were any user funds ever compromised. Only a small portion of Stake’s bankroll to support large winning customers was affected.”

Two games affected by the attack remain disabled with the investigation ongoing, he added.

“While such events are rare (especially owing to our advanced security measures in-place), they can unfortunately happen to any company regardless of their size,” Craven continued.

“Cyber threats are a real risk in our tech-driven world and are only continuing to grow over time.”

He added that following the attack, several fake accounts on X offered refunds to customers, hiding malicious phishing links and providing fake updates on the matter.

Craven therefore urged users to always follow Stake’s official social media channels for accurate updates.

A more technical breakdown of how the exploit unfolded is expected “in the near future in order to help aid other companies protect against the same type of attack,” he concluded.

An ex-OpenSea staffer has been charged with wire fraud and money laundering in relation to a scheme to commit insider trading on the NFT market.

Last week, the United States Attorney for the Southern District of New York, Damian Williams, and assistant director-in-charge of the New York Field Office of the FBI, Michael J. Driscoll, announced the unsealing of an indictment against an individual called Nathaniel Chastain.

This marked the first digital asset insider trading scheme uncovered by US authorities.

According to the US Department of Justice (DoJ), Chastain is alleged to have used insider knowledge about which NFTs would be featured on OpenSea’s homepage to make lucrative investments in certain digital assets.

“Information about what NFT was going to be a featured NFT was OpenSea’s confidential business information because it was not publicly available until the featured NFT appeared on the OpenSea website homepage,” the DoJ said.

US Attorney Damian Williams: “Today’s charges demonstrate the commitment of this office to stamping out insider trading – whether it occurs on the stock market or the blockchain.”

“The value of featured NFTs, as well as other NFTs made by the same NFT creator, typically appreciated once they appeared on the OpenSea homepage due to the increase in publicity and resulting demand for the NFT.”

As Chastain was responsible for selecting NFTs to be featured on the marketplace’s homepage as part of his employment, he is alleged to have exploited his advanced knowledge for personal financial gain.

The DoJ said Chastain purchased a total of some 45 digital collectibles on 11 separate occasions, between around June and September 2021, before reselling the NFTs for profits ranging between two and five times’ their initial purchase price.

To conceal the purchases, Chastain bought the items using anonymous digital currency wallets and anonymous accounts on OpenSea.

He is charged with one count of wire fraud and one count of money laundering, both of which carry a maximum sentence of 20 years in prison.

Michael J. Driscoll of the FBI: “With the emergence of any new investment tool, such as blockchain supported non-fungible tokens, there are those who will exploit vulnerabilities for their own gain.”

“NFTs might be new, but this type of criminal scheme is not,” said Williams.

“As alleged, Nathaniel Chastain betrayed OpenSea by using its confidential business information to make money for himself.  Today’s charges demonstrate the commitment of this office to stamping out insider trading – whether it occurs on the stock market or the blockchain.”

Driscoll added: “In this case, as alleged, Chastain launched an age-old scheme to commit insider trading by using his knowledge of confidential information to purchase dozens of NFTs in advance of them being featured on OpenSea’s homepage. 

“With the emergence of any new investment tool, such as blockchain supported non-fungible tokens, there are those who will exploit vulnerabilities for their own gain. The FBI will continue to aggressively pursue actors who choose to manipulate the market in this way.”