Two more individuals have been indicted for their role in a credential stuffing attack resulting in unauthorized access to thousands of user accounts at a fantasy sports and betting website.
The individuals, Nathan Austad, 19, of Farmington, Minnesota, and Kamerin Stokes, 21, of Memphis, Tennessee, allegedly participated in compromising the accounts using usernames and passwords obtained from other data breaches, and attempted to sell access to the accounts.
A third co-conspirator, Joseph Garrison, was indicted on May 18, 2023 for his involvement in the scheme. Garrison surrendered himself on the same day and pleaded guilty in November. He is scheduled for sentencing on February 1.
The targeted website, which is not mentioned in the FBI complaint (PDF), appears to be DraftKings, which announced in November 2022 that roughly 60,000 user accounts were compromised in a credential stuffing attack.
According to court documents, in November 2022, Austad and Garrison accessed roughly 60,000 user accounts at the target fantasy sports and betting website.
By registering a new payment method, the defendants were able to withdraw all the existing funds from the victim accounts.
The fraudsters allegedly also sold access to the compromised accounts in bulk through various underground shops, including shops that they directly controlled.
According to the complaint, Stokes, who controlled his own such shop, purchased access to some of the accounts in bulk. In total, Stokes obtained from Garrison access to accounts that had a total value of over $125,000, and advertised the availability of the compromised accounts on his shop via Instagram.
The complaint also reveals that Austad messaged other co-conspirators about the investigation into the cyberattack, and that he was aware he was committing fraud.
According to the FBI, Austad used artificial intelligence image generation tools to create images that advertised his shop of stolen user accounts, and controlled cryptocurrency accounts that received approximately $465,000 in proceeds related to credential stuffing attacks and the sale of compromised accounts.
In total, Austad, Stokes, Garrison, and others are estimated to have stolen approximately $600,000 from roughly 1,600 victim accounts.
Austad and Stokes, who were arrested on January 29, have been charged with conspiracy to commit computer intrusion, unauthorized access to a computer, wire fraud, wire fraud conspiracy, and aggravated identity fraud. If found guilty, they face up to 20 years in prison.