-
A man from Memphis reopened his illegal shop after pleading guilty, adding a “fraud is fun” tagline.
-
He needed cash to pay his own attorneys, so he kept selling stolen account access.
-
The court’s order to him was two and a half years in prison, plus an order to restitution and forfeiture in excess of $1,45 million.
A 23-year-old man sold access to thousands of hacked DraftKings accounts. He even reopened his criminal shop after his arrest, because he said he had to pay his lawyers.
Based on court documents, he was part of the perpetrators of a credential-stuffing attack back in November 2022 that affected almost 68,000 DraftKings accounts.
How the account hijacking worked
Nathan Austad (aka Snoopy) and Joseph Garrison led the hacking. They used a list of login credentials stolen from multiple previous breaches. With those lists, they broke into DraftKings accounts one by one.
U.S. prosecutors say Austad and Garrison then sold access to other criminals. Those buyers stole around $635,000 from roughly 1,600 compromised accounts. The duo made over $2.1 million by selling hijacked DraftKings, FanDuel, and even Chick-fil-A accounts through their own online “shops.”
But they also sold many accounts in bulk to Kamerin Stokes. Stokes, known online as TheMFNPlug, ran his own resale shop. He bought hacked accounts cheap and resold them for profit.
DraftKings had to react quickly to the breach. 30 days after the event occurred, they quickly provided refunds to the victims. Hackers had added new payment methods, made a $5 test deposit, then drained every available fund.
The return to crime after guilt plea
Stokes got arrested, pleaded guilty, and was released while awaiting trial. Most people would stop. Not him.
He reopened his shop with a bold new tagline: “fraud is fun.” He kept selling access to compromised accounts of various retailers. When prosecutors asked why, Stokes admitted he had been running these types of shops for three years. And yes, he relaunched because he needed money to pay his attorney.
U.S. Attorney Jay Clayton didn’t hold back. “Kamerin Stokes victimized thousands of users of an online betting website through a cyberattack,” Clayton said in a press release. According to Clayton, despite Stokes’ guilty plea, he still went ahead and reopened his criminal business using the legal fees as an excuse.
The financial trail from such crimes often leads to cryptocurrency, which is why the Samourai Wallet case is significant, prosecutors sought a 5-year sentence for the wallet’s alleged role in helping dark web criminals launder money, demonstrating that law enforcement is targeting not just the hackers but the financial tools that enable their crimes.
That bold move backfired, and the authorities rearrested Stokes for violating his pretrial release. Now he faces real consequences. The court handed him a 30 -month sentence, plus another three years of supervised release. In addition, Stoke was ordered to pay restitution of $1,327,061 and $125,965.53 forfeiture.
What is credential stuffing and how to avoid it
Credential stuffing’s a type of cyberattack where hackers grab a list of usernames and passwords leaked from one site, then try those same pairs on many other sites to see if it’ll work.
It works because people reuse passwords. If you use the same email and password on DraftKings that you used on another shopping site, you’re at risk. When DraftKings suffers a breach, your other account becomes an open door.
The attack in this case used exactly that method. Austad and Garrison grabbed a list of credentials from multiple earlier breaches. Then they automated login attempts against DraftKings until thousands of accounts cracked open.
So how do you protect yourself? First, never reuse passwords. Use a password manager instead. It creates long, random passwords for every account. You’ll only have to remember one killer master password if you use a password manager.
Also, enable multifactor authentication where you can. When you do so, no one can successfully log into your account unless they’re able to prove it’s really you via SMS code, an authenticator app, or a hardware key, even if they have your password.
Also, check if your email has appeared in data dumps from other breaches. Sites like Have I Been Pwned are free and dead simple to use. If your email happens to be among the dump, update your password ASAP.
Credential stuffing only works because a lot of users make it easy for hackers by reusing one password on multiple accounts.
