In connection with the November 2022 DraftKings cyberattack, two individuals, Nathan Austad, 19, of Farmington, Minnesota, and Kamerin Stokes, 21, of Memphis, Tennessee, have been indicted for their involvement in the attack. The two are accused of misusing illegally obtained data for personal gain, selling confidential information, and causing harm to DraftKings and its clients. Additionally, Joseph Garrison, a third co-conspirator, has already pleaded guilty.
Austad and Stokes were arrested on 29 January and are facing charges including conspiracy to commit computer intrusion, unauthorized access to a computer, wire fraud, wire fraud conspiracy, and aggravated identity fraud. If convicted, they could face up to 20 years in prison. Their attack targeted approximately 60,000 DraftKinds accounts, gaining illegal access via other data breaches.
The attackers used various tactics, such as registering new payment methods to withdraw funds from victim accounts. They also sold access to the compromised accounts in bulk through underground shops, some of which they directly controlled. Stokes reportedly purchased access to accounts in bulk from Joseph Garrison, totaling over $125,000 in value, and sold them via his online shop.
Stokes advertised the compromised accounts on his shop through Instagram, contributing to the FBI’s investigation into the case. Authorities highlighted Austad’s use of artificial intelligence image generation tools to create images promoting his shop of stolen user accounts. Additionally, he managed cryptocurrency wallets that received approximately $465,000 in proceeds from credential-stuffing attacks and the sale of compromised data.
Joseph Garrison, a core member of the hacking group, was indicted on 18 May 2023 for his involvement in the scheme. Garrison had already surrendered and pleaded guilty in November, awaiting sentencing on 1 February. Austad, Stokes, Garrison, and other collaborators are estimated to have collectively stolen about $600,000 from approximately 1,600 victim accounts.
DraftKings has reimbursed all the stolen money from customers and noted the importance of the security of clients’ personal and financial information. The operator has taken extensive measures to prevent similar occurrences. FBI Assistant Director in Charge James Smith emphasized that cyberattacks are growing increasingly more sophisticated and pose a great risk to economic security.
This incident highlights the ongoing threats and challenges for online platforms, especially those in the gambling and fantasy sports sectors. Credential stuffing attacks remain a significant risk, emphasizing the need for robust security measures and user education to prevent unauthorized access to accounts. It is hoped that more operators will take notice of this case and take preemptive action to ensure the safety of their customers.