Full Report
Two Connecticut men face federal charges for allegedly defrauding FanDuel and other online gambling sites of $3 million over several years using the stolen identities of approximately 3,000 victims. [...]
Analysis Summary
# Incident Report: Massive Online Gambling Identity Fraud Scheme
## Executive Summary
Two individuals allegedly defrauded online gambling platforms, including FanDuel, of approximately $3 million over five years by using the stolen identities of roughly 3,000 victims. The scheme involved acquiring Personally Identifiable Information (PII) from darknet sources, using it to establish fraudulent accounts, exploiting new user bonuses, and laundering the winnings through stored-value cards. The incident resulted in significant financial fraud and identity theft impacting thousands of individuals.
## Incident Details
- **Discovery Date:** Not explicitly stated, but charges announced in February 2026, suggesting investigation leading up to this period.
- **Incident Date:** Attacks occurred between April 2021 and 2026.
- **Affected Organization:** FanDuel, Draft Kings, BetMGM, and other unnamed online gambling sites.
- **Sector:** Online Gambling/Financial Technology.
- **Geography:** Connecticut, USA (perpetrator locations).
## Timeline of Events
### Initial Access
- **Date/Time:** Commenced April 2021.
- **Vector:** Purchase of Stolen Personally Identifiable Information (PII).
- **Details:** Attackers bought PII (names, DOBs, addresses, emails, phone numbers, SSNs) from darknet markets and Telegram. They also subscribed to background-check services (e.g., TruthFinder, BeenVerified) to gather supplementary data for verification.
### Lateral Movement
- **Date/Time:** Ongoing between April 2021 and 2026.
- **Vector:** Account Creation and Information Correlation.
- **Details:** Accomplices helped create thousands of fraudulent accounts on gambling sites. One attacker maintained a spreadsheet ("Tracker.xlsx") to organize victim data. One method involved using reverse phone searches on a "scam shield app" to match names with SSNs to create accounts.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing during the operational period (2021–2026).
- **Vector:** Exploitation of Promotional Bonuses and Money Laundering.
- **Details:** Winnings generated from bets placed using new user/promotional credits were transferred to virtual stored-value cards allowed for deposits/withdrawals. These funds were subsequently moved to the perpetrators' bank and investment accounts.
### Detection & Response
- **Date/Time:** Charges announced February 2026.
- **Vector:** Federal Investigation/Law Enforcement Action.
- **Details:** Arrests of Amitoj Kapoor and Siddharth Lillaney following a 45-count federal indictment.
## Attack Methodology
- **Initial Access:** Purchasing stolen PII from illicit online sources (darknet, Telegram).
- **Persistence:** (Not explicitly detailed, but implied maintenance of ability to access fraudulent accounts over several years).
- **Privilege Escalation:** Not applicable in the traditional sense; focus was on **Identity Spoofing** to bypass account creation security controls.
- **Defense Evasion:** Utilizing sufficient data (PII + background check service data) to pass verification questions required by the gambling platforms.
- **Credential Access:** Acquisition of victim credentials/PII through external darknet purchases.
- **Discovery:** Using tools like reverse phone search apps to link victim names to SSNs for account setup.
- **Lateral Movement:** Creating multiple fraudulent accounts across several different gambling platforms.
- **Collection:** Compilation and organization of stolen PII in a spreadsheet ("Tracker.xlsx").
- **Exfiltration:** Transferring successful winnings via virtual stored-value cards, then to personal bank/investment accounts.
- **Impact:** $3 million in financial fraud and identity theft affecting 3,000 victims.
## Impact Assessment
- **Financial:** Approximately $3 million fraudulently obtained. Significant prosecution/investigation costs assumed by the government.
- **Data Breach:** PII of approximately 3,000 victims compromised, including names, DOBs, addresses, emails, phone numbers, and Social Security numbers.
- **Operational:** Disruptions to the internal fraud detection/prevention mechanisms of multiple online gambling platforms over a five-year period.
- **Reputational:** Negative impact on the trust mechanisms of the targeted gambling sites.
## Indicators of Compromise
- **Network indicators:** Evasion of typical network monitoring by relying on human purchasing/manual setup processes (no obvious malware/C2 communication specified).
- **File indicators:** Presence of "Tracker.xlsx" containing large volumes of victim PII (internal data used by perpetrators).
- **Behavioral indicators:** Rapid creation of numerous new user accounts exhibiting immediate withdrawal behavior utilizing first-time deposit bonuses.
## Response Actions
- **Containment:** Arrests made and federal charges filed against the two primary suspects (Kapoor and Lillaney).
- **Eradication steps:** (Not detailed externally, presumed investigation into all accounts associated with the suspects).
- **Recovery actions:** Victims will likely need to engage in recovery from identity theft; financial recovery dependent on ongoing legal proceedings.
## Lessons Learned
- **Stolen PII Ecosystem:** Criminals actively source comprehensive PII bundles (including SSNs) from darknet and messaging apps for complex fraud schemes.
- **Verification Layer Weakness:** Existing verification procedures on online platforms (even those requiring background checks) were insufficient to stop high-volume identity abuse when combined with malicious data acquisition.
- **Data Organization:** Attackers utilized internal organization methods (spreadsheets) to efficiently scale their identity theft operations.
## Recommendations
- Implement multi-factor authentication or biometric verification for high-value account creation/withdrawal, especially when new user bonuses are involved.
- Enhance real-time monitoring to detect mass account creation patterns linked to known PII acquisition vectors or suspicious bonus exploitation behavior.
- Increase vigilance regarding the use of stored-value cards for initial deposits and high-speed subsequent withdrawals.