Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Two More Individuals Charged for DraftKings Hacking

Nathan Austad and Kamerin Stokes have been charged for hacking user accounts at fantasy sports and betting website DraftKings.

Two more individuals have been indicted for their role in a credential stuffing attack resulting in unauthorized access to thousands of user accounts at a fantasy sports and betting website.

The individuals, Nathan Austad, 19, of Farmington, Minnesota, and Kamerin Stokes, 21, of Memphis, Tennessee, allegedly participated in compromising the accounts using usernames and passwords obtained from other data breaches, and attempted to sell access to the accounts.

A third co-conspirator, Joseph Garrison, was indicted on May 18, 2023 for his involvement in the scheme. Garrison surrendered himself on the same day and pleaded guilty in November. He is scheduled for sentencing on February 1.

The targeted website, which is not mentioned in the FBI complaint (PDF), appears to be DraftKings, which announced in November 2022 that roughly 60,000 user accounts were compromised in a credential stuffing attack.

According to court documents, in November 2022, Austad and Garrison accessed roughly 60,000 user accounts at the target fantasy sports and betting website.

By registering a new payment method, the defendants were able to withdraw all the existing funds from the victim accounts.

The fraudsters allegedly also sold access to the compromised accounts in bulk through various underground shops, including shops that they directly controlled.

According to the complaint, Stokes, who controlled his own such shop, purchased access to some of the accounts in bulk. In total, Stokes obtained from Garrison access to accounts that had a total value of over $125,000, and advertised the availability of the compromised accounts on his shop via Instagram.

Advertisement. Scroll to continue reading.

The complaint also reveals that Austad messaged other co-conspirators about the investigation into the cyberattack, and that he was aware he was committing fraud.

According to the FBI, Austad used artificial intelligence image generation tools to create images that advertised his shop of stolen user accounts, and controlled cryptocurrency accounts that received approximately $465,000 in proceeds related to credential stuffing attacks and the sale of compromised accounts.

In total, Austad, Stokes, Garrison, and others are estimated to have stolen approximately $600,000 from roughly 1,600 victim accounts.

Austad and Stokes, who were arrested on January 29, have been charged with conspiracy to commit computer intrusion, unauthorized access to a computer, wire fraud, wire fraud conspiracy, and aggravated identity fraud. If found guilty, they face up to 20 years in prison.

Related: Canadian Man Sentenced to Prison for Ransomware Attacks

Related: US Charges Russian Involved in 2013 Hacking of Neiman Marcus, Michaels

Related: Nigerian Arrested, Charged in $7.5 Million BEC Scheme Targeting US Charities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.