Kamerin Stokes, a 23-year-old from Memphis, Tennessee, has been sentenced to prison for his role in a 2022 credential stuffing attack targeting the online betting platform DraftKings.
Stokes has been sentenced to 30 months in prison and three years of supervised release. He has also been ordered to pay $125,000 in forfeiture and $1.3 million in restitution.
In the 2022 credential-stuffing attack targeting DraftKings, hackers accessed roughly 60,000 accounts using username-password combinations obtained from other breaches. The goal was to withdraw funds from the compromised accounts.
The DoJ has not named the targeted site, describing it as a fantasy sports and betting website.
Stokes, who used the online moniker ‘TheMFNPlug’, acquired DraftKings accounts in bulk and sold access to them through an online marketplace he controlled.
The Justice Department said Stokes reopened his shop after he pleaded guilty, offering to sell access to accounts at various retailers.
“Stokes advertised his reopened Shop using the tagline ‘fraud is fun,’ and said that he had been running these types of shops for three years. He further said that he opened the new Shop in part because ‘gotta pay my attorneys,’ referring to his prosecution in this case,” the DoJ said.
Two others have been charged for their role in the same scheme. Joseph Garrison pleaded guilty in November 2023 and was sentenced to 18 months in prison in February 2024. Nathan Austad pleaded guilty in December 2025 and should be sentenced soon.
Garrison and Austad collaborated on the credential-stuffing attack and the subsequent sale of account access.
DraftKings is still targeted in credential-stuffing attacks, with the company issuing a warning to users in October 2025.
Related: Dutch Port Hacker Sentenced to Prison
Related: LeakBase Cybercrime Forum Shut Down, Suspects Arrested
Related: Man Linked to Phobos Ransomware Arrested in Poland
