DraftKings Website Hack, $635K Theft Leads to Two More Arrests

Two additional men were arrested on Monday for hacking accounts and then stealing about $635K from customers, according to federal prosecutors and press reports.

In total, some 60K accounts were successfully compromised on the sports betting site in 2022. Funds were taken from approximately 1,600 accounts.

Using a scheme known as a “,” the hackers accessed the site after employing a large list of credentials stolen from earlier data breaches.

One arrested suspect is Nathan Austad, 19, of Farmington, Minn., whose online alias is “Snoopy” (from the Peanuts cartoon). He was arrested in Minnesota. Also arrested was Kamerin Stokes, 21, of Memphis, Tenn., who has the alias “TheMFNPlug.”

Federal prosecutors explained that a credential stuffing attack is when someone “collects stolen credentials, or username and password pairs, obtained from other large-scale of other companies, which can be purchased on the dark web.”

The threat actor then systematically attempts to use those stolen credentials to obtain unauthorized access to accounts held by the same user with other companies and providers, in order to compromise accounts where the user has maintained the same password,” the feds added.

A criminal complaint explained that illegal access to the victims’ accounts was sold on websites called “shops.” Austad’s shop was named after “Snoopy.”

The suspects appear to have realized they could be subject to investigation. In May 2023, Austad sent out a message saying, “everyone knows their [sic] committing fraud.”

In December 2022, an unnamed co-conspirator in the plot texted, “lol fbi can’t do s**t.”

Both suspects appeared in federal court on Monday. If convicted, they could face decades in prison.

They are each charged with conspiracy to commit computer intrusions, unauthorized access to a protected computer to further intended fraud, access to a protected computer, wire fraud conspiracy, and aggravated identity theft.

In addition, Austad allegedly had accounts containing about $465K worth of cryptocurrency, authorities said. The amounts placed in the accounts appeared from the credential stuffing attacks and proceeds from the sale of stolen accounts.

In November, a third defendant, , 19, of Madison, Wis., pled guilty in Manhattan federal court to conspiracy to commit computer intrusion.  On Thursday, he’s scheduled to be sentenced by U.S. District Judge Lewis A. Kaplan. Garrison faces up to five years in prison.

In an online message, he once told one of his conspirators that “fraud is fun,” prosecutors said.

But federal officials are taking the case seriously.

Our office is relentless in tracking down the perpetrators of cybercrime,” Manhattan U.S. Attorney said in a statement announcing the two recent arrests.