hacked DraftKings – A Memphis man was sentenced to 30 months for selling access to tens of thousands of hijacked DraftKings accounts after a large credential-stuffing attack.
A Memphis man has been sentenced to 30 months in federal prison for selling access to tens of thousands of hacked DraftKings accounts, a scheme prosecutors tied to large-scale credential theft.
Kamerin Stokes. 23. of Tennessee. was convicted in a case involving hijacked betting accounts that had been compromised during a major credential-stuffing attack in November 2022.. Court documents say the intrusion was carried out by Nathan Austad (online as “Snoopy”). with Joseph Garrison as a third accomplice.. The attack compromised nearly 68,000 DraftKings accounts, and prosecutors described how stolen credentials from multiple breaches were used to gain access.
What Stokes did next was, in effect, turn account takeovers into a marketplace.. Prosecutors said the stolen access was sold to others who then stole money—about $635,000 from roughly 1,600 compromised accounts.. The fraud didn’t stay confined to DraftKings either.. Prosecutors said the groups behind the activity also targeted other brands, including FanDuel and Chick-fil-A accounts.
The money trail in the case is part of what makes it so alarming for consumers.. Prosecutors said Austad and Garrison made more than $2.1 million selling some of the hijacked accounts through their own “shops. ” and they also sold many in bulk to Stokes.. Stokes then resold access through his own shop. effectively operating as a distributor in a fraud supply chain rather than a one-off offender.
DraftKings later faced a costly consequence of the wave of takeovers: refunds after stolen funds were taken and then withdrawn through attempted “cash-out” workflows.. Prosecutors said that following the addition of a new payment method and a $5 deposit intended to verify the payment tool. the remaining funds were still withdrawn from impacted accounts—prompting the need to refund hundreds of thousands of dollars.
The case also shows how quickly cybercrime businesses can try to bounce back after legal trouble.. After Stokes was arrested. pled guilty. and was released while awaiting trial. prosecutors said he reopened his shop with a new tagline and continued offering access to compromised accounts.. In court filings. he acknowledged he had been running similar shops for years and said he relaunched because he needed money for legal costs.
That “resume business” moment is where the human impact becomes clearer.. Real users don’t just lose money; they lose the sense of control around their accounts—especially in betting apps where payments. balances. and verification steps can be tied tightly to identity.. When attackers repeatedly cycle credentials through different victims and platforms. affected users often end up dealing with account security steps. support tickets. and delayed recovery rather than a quick fix.
From a technology and security perspective, credential-stuffing attacks thrive because they exploit habits and overlaps.. If a person reuses the same password across services—or if attackers obtain credential dumps from unrelated breaches—automated login attempts can succeed until additional safeguards slow or block the behavior.. The court narrative in this case underscores that attackers were not relying on a single breach of DraftKings alone; instead. they combined stolen credential lists from multiple incidents with automation to reach thousands of accounts.
Misryoum’s takeaway is that this is less a story about one compromised app and more about how criminal “shops” turn stolen access into an organized operation.. When account takeovers are resold. the risk multiplies: one intrusion can lead to repeated rounds of fraud as different sellers and buyers iterate on what works.. That also means defenses need to focus beyond reactive password resets.. Stronger detection of abnormal login patterns. tighter risk scoring for cash-out behavior. and more resilient account verification workflows can reduce the practical value of stolen credentials even when they reach the black market.
For now. the court’s sentence gives the public a rare datapoint on accountability: Stokes received 30 months in prison. along with three years of supervised release.. He was also ordered to pay $1,327,061 in restitution and $125,965.53 in forfeiture.. Yet the case also serves as a reminder that punishment alone doesn’t remove the underlying threat—credential theft and account resale networks keep finding new participants unless platforms harden the points where stolen access converts into stolen money.
Unity + Lua PSX Dev: Build for the Original PlayStation—Again
T-Mobile Galaxy Watch 8 deal: free with Watch Plan Plus
Tokenmaxxing: AI coding volume rises, real productivity stalls