Sentence Handed Down in DraftKings Credential Stuffing Case
A 23-year-old man from Memphis, Tennessee named Kamerin Stokes has been sentenced to 30 months in federal prison and three years of supervised release for his involvement in a large-scale credential stuffing attack against online fantasy sports and betting platform DraftKings in 2022. In addition to incarceration, Stokes has been ordered to pay $125,000 in forfeiture and $1.3 million in restitution.
How the Attack Unfolded
The 2022 attack relied on a technique known as credential stuffing, in which attackers use username-and-password combinations harvested from previous data breaches to gain unauthorized access to accounts on other platforms. In this instance, hackers managed to access approximately 60,000 DraftKings accounts. Once inside, the objective was straightforward: drain funds from the compromised accounts.
The U.S. Department of Justice has refrained from explicitly naming DraftKings in its official statements, instead describing the target as a fantasy sports and betting website. However, reporting has confirmed the platform in question.
Stokes's Role: Bulk Account Sales
Operating under the online alias 'TheMFNPlug', Stokes acquired batches of compromised DraftKings accounts and sold access to them through an online marketplace he personally controlled. His conduct did not stop after law enforcement became involved. According to the Department of Justice, Stokes reopened his illicit shop even after pleading guilty, this time offering access to accounts belonging to customers of various retailers.
"Stokes advertised his reopened Shop using the tagline 'fraud is fun,' and said that he had been running these types of shops for three years. He further said that he opened the new Shop in part because 'gotta pay my attorneys,' referring to his prosecution in this case." — U.S. Department of Justice
The brazen continuation of criminal activity following a guilty plea underscored the audacity of Stokes's conduct and likely influenced the sentencing outcome.
Co-Conspirators Also Face Justice
Stokes was not the only individual charged in connection with the 2022 DraftKings scheme. Two co-conspirators have also faced legal consequences:
- Joseph Garrison pleaded guilty in November 2023 and was subsequently sentenced to 18 months in prison in February 2024.
- Nathan Austad pleaded guilty in December 2025 and is awaiting sentencing.
Garrison and Austad worked together on the credential stuffing attack itself as well as on the subsequent sale of access to the compromised accounts, making the operation a coordinated multi-party criminal enterprise.
DraftKings Continues to Face Credential Stuffing Threats
The sentencing of these individuals has not fully insulated DraftKings from this type of threat. The platform remains a target for credential stuffing campaigns, as evidenced by the company issuing a formal warning to its user base as recently as October 2025. This ongoing exposure highlights that credential stuffing is not a one-time threat but a persistent attack vector that organizations, particularly those handling financial transactions, must continuously defend against.
Understanding the Broader Threat of Credential Stuffing
Credential stuffing attacks exploit one of the most widespread security failures among end users: password reuse. When individuals use the same username and password combination across multiple websites, a breach at one platform effectively compromises their accounts everywhere else. Attackers frequently purchase stolen credential databases on cybercrime forums and run automated tools to test those credentials against high-value targets like financial services, e-commerce platforms, and betting sites.
In the DraftKings case, the attackers had a clear financial motive — withdraw money directly from victim accounts — making the impact immediate and measurable. The fact that roughly 60,000 accounts were accessed in a single campaign demonstrates the scale at which these attacks can operate when left unchecked.
Key Takeaways
- Credential stuffing attacks can compromise tens of thousands of accounts in a single campaign when perpetrators leverage leaked credential databases.
- Selling access to compromised accounts, even after a guilty plea, can result in additional legal consequences and harsher sentencing considerations.
- Multiple individuals can be prosecuted for a single coordinated credential stuffing scheme, as demonstrated by the charges against Stokes, Garrison, and Austad.
- Organizations remain vulnerable to repeat targeting, with DraftKings issuing warnings to users as late as October 2025, more than three years after the original 2022 attack.
Source: SecurityWeek