Federal Sentence Handed Down in DraftKings Credential-Stuffing Case
A 23-year-old Memphis, Tennessee resident named Kamerin Stokes has been sentenced to 30 months in federal prison after he was convicted of purchasing and reselling access to tens of thousands of DraftKings accounts that had been hijacked through a large-scale credential-stuffing campaign. The sentencing marks another significant legal development in a case that exposed major vulnerabilities in online sports-betting platforms.
The November 2022 Credential-Stuffing Attack
According to court documents, the underlying attack was carried out in November 2022 by Nathan Austad, known online as Snoopy, with assistance from Joseph Garrison, a third accomplice who was charged separately in May 2023. The two exploited lists of credentials obtained from multiple prior data breaches and used them to break into DraftKings user accounts — a technique known as credential stuffing, where stolen username-password combinations are automatically tested against other services.
The attack ultimately compromised nearly 68,000 DraftKings accounts. Once inside, bad actors drained funds by adding a new payment method, making a $5 deposit to verify it, and then withdrawing all available balances. DraftKings later confirmed it was forced to refund hundreds of thousands of dollars stolen from affected users.
How the Criminal Network Operated
U.S. prosecutors explained that Austad and Garrison did not simply exploit the accounts themselves — they monetized them through underground online storefronts. Together, the pair generated over $2.1 million by selling access to hijacked DraftKings accounts, as well as accounts belonging to FanDuel and Chick-fil-A, through their own dedicated shops.
Approximately 1,600 of those compromised accounts were actively raided by buyers, resulting in an estimated $635,000 stolen from victims. A substantial portion of the stolen account credentials were sold in bulk to Stokes, who operated under the online alias TheMFNPlug and ran his own resale shop, further distributing access to the compromised accounts.
Brazen Relapse: "Fraud Is Fun"
The case took a particularly striking turn after Stokes was arrested and pleaded guilty. Released while awaiting sentencing, he chose to reopen his illicit storefront — this time operating under the tagline "fraud is fun." Rather than selling DraftKings accounts specifically, the relaunched shop offered access to compromised accounts from various retail platforms.
Prosecutors noted that Stokes openly admitted he had been running these types of criminal shops for three years and that he relaunched the operation specifically because he needed funds to cover his legal defense costs.
"Kamerin Stokes victimized thousands of users of an online betting website though a cyberattack. After pleading guilty to federal crimes, Stokes audaciously reopened his criminal business, marketed using the tagline 'fraud is fun,' and said that he opened the new Shop in part because 'gotta pay my attorneys,' referring to his prosecution in this case." — U.S. Attorney Jay Clayton
Following the discovery of his resumed criminal activity, Stokes was again taken into federal custody after being arrested for violating the conditions of his pretrial release.
Penalties and Restitution
In addition to the 30-month prison sentence, the court imposed the following penalties on Stokes:
- 3 years of supervised release following his prison term
- $1,327,061 in restitution to be paid to victims
- $125,965.53 in forfeiture of criminally derived proceeds
Broader Context: A Multi-Defendant Prosecution
The DraftKings credential-stuffing case has ensnared multiple defendants. Joseph Garrison was charged in May 2023, and Nathan Austad has also faced legal proceedings connected to the scheme. The sentencing of Stokes represents the latest chapter in the government's effort to hold accountable not just the initial attackers but also the downstream actors who profit from stolen account access.
The case highlights a growing concern in cybersecurity circles: credential-stuffing attacks remain highly effective because large volumes of breached credentials are readily available on criminal marketplaces, and many users reuse passwords across multiple platforms. Online platforms with financial components — such as sports betting sites — are particularly attractive targets, since stolen accounts can be quickly converted into cash.
Law enforcement agencies continue to press for stronger account-security measures across the industry, including multi-factor authentication and anomalous-login detection, to limit the damage from future attacks of this nature.
Source: BleepingComputer