23-year-old Kamerin Stokes of Memphis, Tennessee, was sentenced to 30 months in prison for selling access to tens of thousands of hacked DraftKings accounts.
According to court documents, the accounts were hijacked by Nathan Austad (aka Snoopy) with the help of Joseph Garrison (a third accomplice charged in May 2023) in a massive November 2022 credential-stuffing attack that compromised nearly 68,000 DraftKings accounts.
U.S. prosecutors said Austad and Garrison used a list of credentials stolen in multiple breaches to hack into DraftKings accounts, then sold access to others who stole around $635,000 from roughly 1,600 compromised accounts.
While they made over $2.1 million selling some of these hijacked DraftKings accounts (as well as FanDuel and Chick-fil-A accounts) through their own “shops,” they also sold many in bulk to Stokes (also known online as TheMFNPlug), who resold them through his own “shop.”
One month later, the sports betting giant said it had to refund hundreds of thousands of dollars stolen from hacked accounts, after all available funds were withdrawn following the addition of a new payment method and a $5 deposit to verify its validity.
After being arrested, pleading guilty, and released while awaiting trial, Stokes reopened his shop with a new “fraud is fun” tagline and continued selling access to compromised accounts for various retailers.
Prosecutors said he also admitted “he had been running these types of shops for three years” and that he relaunched the shop because he needed money to pay his attorney.
“Kamerin Stokes victimized thousands of users of an online betting website though [sic] a cyberattack,” U.S. Attorney Jay Clayton noted in a Thursday press release.
“After pleading guilty to federal crimes, Stokes audaciously reopened his criminal business, marketed using the tagline’ fraud is fun,’ and said that he opened the new Shop in part because ‘gotta pay my attorneys,’ referring to his prosecution in this case.”
After reopening his website, Stokes was again remanded into federal custody after being arrested for violating the conditions of his pretrial release.
In addition to 30 months in prison, Stokes was given 3 years of supervised release and ordered to pay $1,327,061 in restitution and $125,965.53 in forfeiture.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
