Security & privacy

Memphis man sentenced to 30 months for selling thousands of hacked DraftKings accounts

SiliconFeed Editorial
cybercrimecredential stuffingDraftKingsdata breachfederal sentencing

Sections and tags — in the Topics menu Search the feed

At a glance:

  • Kamerin Stokes sentenced to 30 months in prison for reselling access to tens of thousands of compromised DraftKings accounts.
  • The breach originated from a November 2022 credential-stuffing attack that compromised nearly 68,000 accounts.
  • Total losses include approximately $635,000 stolen from 1,600 users, with the perpetrators earning over $2.1 million from account sales.

The mechanics of the DraftKings breach

The legal proceedings have revealed a coordinated effort to monetize user data through a massive credential-stuffing attack in November 2022. The operation was spearheaded by Nathan Austad, known online as "Snoopy," and Joseph Garrison, who utilized lists of credentials leaked from previous, unrelated data breaches to gain unauthorized access to DraftKings accounts. By automating login attempts with stolen email and password combinations, the duo managed to hijack nearly 68,000 accounts.

Once access was secured, the operation shifted from hacking to distribution. Austad and Garrison established their own "shops" to sell these hijacked accounts, generating over $2.1 million in revenue. While the primary targets were DraftKings users, the group also sold compromised accounts from other major platforms, specifically including FanDuel and Chick-fil-A. This ecosystem allowed third-party buyers to enter the accounts and drain funds, resulting in roughly $635,000 being stolen from approximately 1,600 individual victims.

The role of Kamerin Stokes and the resale market

Kamerin Stokes, a 23-year-old from Memphis, Tennessee, operated under the online alias "TheMFNPlug." Rather than performing the initial hacks, Stokes acted as a high-volume distributor, purchasing compromised accounts in bulk from Austad and Garrison to resell them through his own digital storefront. This layered approach is common in cybercrime, where "initial access brokers" sell raw access to "downstream" operators who then execute the final theft or fraud.

During the investigation, Stokes admitted to running these types of fraudulent shops for three years. The financial impact on the victims was severe enough that DraftKings was forced to refund hundreds of thousands of dollars. The theft method involved a specific "cash-out" process where attackers added a new payment method to the account and made a nominal $5 deposit to verify the validity of the new method before withdrawing all available funds.

Legal fallout and the "fraud is fun" recidivism

The case took a turn for the worse after Stokes was initially arrested and pleaded guilty. While released on pretrial supervision awaiting his trial, Stokes displayed a blatant disregard for the judicial process by reopening his fraudulent shop. He rebranded the business with the provocative tagline "fraud is fun" and continued selling access to compromised retail accounts, claiming he needed the money to pay for his legal defense.

This recidivism led to his immediate remand into federal custody for violating the conditions of his release. U.S. Attorney Jay Clayton highlighted the audacity of the move, noting that Stokes continued to victimize users even while under federal prosecution. The court ultimately handed down a sentence of 30 months in prison, followed by three years of supervised release.

Financial restitution and industry implications

Beyond the prison term, the court has imposed heavy financial penalties to address the scale of the fraud. Stokes has been ordered to pay $1,327,061 in restitution to the victims and $125,965.53 in forfeiture. These figures underscore the significant financial footprint of credential-stuffing attacks, which leverage the common habit of password reuse across multiple platforms.

This case serves as a stark reminder for the online gaming and sports betting industry regarding the vulnerability of user accounts. As platforms like DraftKings and FanDuel handle significant financial transactions, the incentive for attackers to utilize leaked credentials remains high. The incident emphasizes the critical need for mandatory multi-factor authentication (MFA) to prevent automated attacks from succeeding even when a password is known.

Editorial SiliconFeed is an automated feed: facts are checked against sources; copy is normalized and lightly edited for readers.

FAQ

How did the attackers gain access to the DraftKings accounts?
The attackers used a technique called credential stuffing. They took lists of usernames and passwords stolen from other previous data breaches and used them to attempt logins on DraftKings, exploiting users who reused the same passwords across different websites.
What was the financial impact of the attack on users and the company?
Approximately 1,600 compromised accounts had around $635,000 stolen from them. DraftKings subsequently had to refund hundreds of thousands of dollars to affected users after attackers used a $5 deposit verification trick to add new payment methods and withdraw all funds.
What were the legal consequences for Kamerin Stokes?
Stokes was sentenced to 30 months in prison and three years of supervised release. Additionally, he was ordered to pay $1,327,061 in restitution and $125,965.53 in forfeiture after he audaciously reopened his fraud shop while awaiting trial.

More in the feed

Prepared by the editorial stack from public data and external sources.

Original article