DraftKings hacker 'Snoopy' gets 18 months as part of 2022 cyberattack fallout

At a glance:

• Nathan Austad, aka 'Snoopy,' was sentenced to 18 months in prison for his role in the November 2022 DraftKings hack.
• The attack compromised 60,000 accounts, with hackers stealing $600,000 and adding payment methods to 1,600 accounts.
• Two other suspects, Joseph Garrison and Kamerin Stokes, received sentences of 18 and 30 months, respectively.

What happened

In December 2025, 21-year-old Nathan Austad of Minnesota pleaded guilty to conspiracy to commit computer intrusion for his role in a November 2022 cyberattack targeting DraftKings, a major fantasy sports and sports betting platform. The breach exploited weak passwords and reused credentials through credential stuffing, allowing hackers to access 60,000 user accounts. During the attack, the perpetrators added payment methods under their control to 1,600 accounts and stole approximately $600,000. At the time, DraftKings initially reported less than $300,000 in losses, later revising the figure to 67,995 compromised accounts.

Austad operated an underground marketplace named after the Peanuts character Snoopy, where he sold access to stolen DraftKings accounts. The U.S. Department of Justice revealed that Austad's cryptocurrency wallets received roughly $465,000 in assets, though the exact profits from account sales remain undisclosed. Prosecutors highlighted direct messages in which Austad openly discussed fraudulent activities and warned co-conspirators to prepare for potential consequences.

The broader scheme

Joseph Garrison, another key figure in the scheme, was charged in May 2023 and sentenced to 18 months in January 2024. Kamerin Stokes, known as "TheMFNPlug," was charged in January 2024 and received a 30-month sentence in April 2026. The trio allegedly sold access to hacked accounts through online marketplaces, including the "Goat Shop," which catered to cybercriminals seeking stolen credentials. The operation underscores the growing sophistication of credential-stuffing attacks and the dark web's role in monetizing compromised data.

Financial impact and legal consequences

Beyond the prison term, Austad was ordered to pay $463,684 in forfeiture and $1,327,061 in restitution, reflecting the scale of financial damage. The case highlights the ongoing challenges platforms like DraftKings face in securing user accounts against automated attacks. Credential stuffing remains a persistent threat, with hackers leveraging previously breached credentials to gain unauthorized access to accounts across multiple services.

DraftKings has since strengthened its authentication protocols, but the incident serves as a cautionary tale for the broader tech industry. As cybercriminals increasingly exploit reused passwords, companies must invest in multi-factor authentication and real-time threat detection to mitigate risks. The sentences handed to Austad, Garrison, and Stokes signal a growing legal emphasis on prosecuting cybercrime networks that profit from stolen digital identities.

Looking ahead

The case raises questions about the adequacy of current cybersecurity measures in the gaming and betting sectors. With the rise of online platforms handling sensitive financial data, regulators may push for stricter compliance standards. For users, the incident underscores the importance of unique, complex passwords and enabling two-factor authentication wherever possible. As cybercrime evolves, so too must the strategies to combat it.