Second Defendant Sentenced to 30 Months in Federal Prison for 2022 DraftKings Account Takeover Attack
The sentencing of Nathan Latka’s co-conspirator highlights the severe legal repercussions for "credential stuffing" and the lucrative black market for stolen digital identities.
NEW YORK, NY — A second individual involved in the massive November 2022 cyberattack against the sports betting giant DraftKings has been sentenced to 30 months in federal prison. The U.S. District Court for the Southern District of New York handed down the sentence to Joseph Garrison, 19, following his role in a sophisticated "credential stuffing" campaign that compromised tens of thousands of user accounts and resulted in the theft of approximately $600,000 in customer funds.
In addition to the prison term, Garrison has been ordered to pay $1.4 million in restitution and will undergo three years of supervised release. The sentencing follows that of his co-conspirator, Nathan Latka, who was previously sentenced to 18 months in connection with the same breach.
DraftKings Attack Breakdown
The Mechanism: Credential Stuffing at Scale
The DraftKings breach was not a traditional system "hack," but rather a high-volume credential stuffing attack. The attackers utilized automated software to test millions of username and password combinations — harvested from previous, unrelated data breaches — against DraftKings' login portal.
According to court documents and reports from BleepingComputer and SecurityWeek:
- Mass Compromise: The attack successfully identified valid credentials for approximately 60,000 DraftKings accounts.
- Account Takeovers (ATO): Once inside, the attackers bypassed security measures to add new payment methods and withdraw funds from users' linked bank accounts.
- The "Marketplace" Element: Garrison did not just steal funds directly; he operated a "shop" on the dark web where he sold access to the compromised accounts to other cybercriminals for prices ranging from $10 to $50 per account.
Corporate Response and Multifactor Adoption
The 2022 incident forced DraftKings to implement a mandatory reset of user passwords and significantly accelerate its rollout of multifactor authentication (MFA). At the time of the attack, many users had not enabled MFA, which left them vulnerable to simple password-matching scripts.
The FBI’s investigation utilized blockchain analysis and records from "account-checking" software to trace the illicit sales back to Garrison’s digital footprint.
The CyberSignal Analysis
Signal 01 — The "Business of Fraud" Takedown
The $1.4 million restitution order is a massive "Signal" that law enforcement is no longer just targeting the hackers, but the economic infrastructure of fraud. By hitting attackers with restitution amounts that far exceed their actual take, the DOJ is attempting to break the profitability model of account-trading marketplaces. For B2B firms, this underscores the importance of participating in law enforcement investigations to ensure financial recovery.
Signal 02 — Digital Identity as a Shared Responsibility
This case is a textbook example of why digital identity is the most fragile link in the security chain. The attackers didn't need a zero-day exploit; they just needed users to reuse passwords. The "Signal" for security leaders is that technical defenses are useless if your users aren't incentivized — or forced — to use MFA. The shift toward "passwordless" authentication is becoming a business necessity to mitigate this specific risk.
