Two More Individuals Charged for DraftKings Hacking

Two More Individuals Charged for DraftKings Hacking
Photo by Fauzan Saari / Unsplash

In the ever-evolving landscape of cybercrime, the latest headlines bring forth another troubling case of two individuals charged with hacking into user accounts at the popular fantasy sports and betting website, DraftKings. Nathan Austad, a 19-year-old from Farmington, Minnesota, and Kamerin Stokes, a 21-year-old from Memphis, Tennessee, have found themselves facing serious allegations.

US Charges Russian Involved in 2013 Hacking of Neiman Marcus, Michaels
In a recent development, the US Justice Department has announced charges against two Russian nationals involved in cybercriminal activities, including a man allegedly responsible for the 2013 hacking of retailers Neiman Marcus and Michaels Stores. These charges shed light on the persistent threat of cybercrime and the importance of robust

The Credential Stuffing Attack

The charges against Austad and Stokes revolve around their alleged involvement in a credential stuffing attack, which led to unauthorized access to thousands of user accounts on DraftKings. In such attacks, cybercriminals use stolen usernames and passwords, often obtained from other data breaches, to gain access to various online accounts.

Attempted Sale of Compromised Access

What makes this case particularly concerning is that the accused individuals reportedly went beyond gaining access to these accounts for their own use. They allegedly attempted to sell access to these compromised accounts, adding a layer of illegal profit to their activities.

A Third Co-Conspirator

It's worth noting that this case is not isolated, as a third individual named Joseph Garrison had previously been indicted on May 18, 2023, for his involvement in the same scheme. Garrison surrendered himself and later pleaded guilty to the charges in November. His sentencing is scheduled for February 1, which adds to the gravity of this situation.

The Scope of the Attack

While the official name of the targeted website is not explicitly mentioned in the FBI complaint, it appears that DraftKings was the victim. The company had previously announced in November 2022 that approximately 60,000 user accounts had been compromised in a credential stuffing attack.

According to court documents, Austad and Garrison gained access to around 60,000 user accounts on DraftKings in November 2022. Their modus operandi involved registering a new payment method, which allowed them to withdraw all the existing funds from these victim accounts.

Underground Shops and Social Media

The alleged cybercriminals didn't stop at accessing these accounts; they also reportedly sold access to the compromised accounts in bulk through various underground shops, some of which they directly controlled. Stokes, for instance, was said to have controlled his own shop, purchasing access to accounts in bulk. In total, Stokes obtained access to accounts valued at over $125,000 and advertised their availability on his shop via Instagram.

Technology and Financial Implications

The complaint further reveals the extent of the cybercriminals' sophistication. Austad is reported to have used artificial intelligence image generation tools to create advertisements for his shop of stolen user accounts. Additionally, he controlled cryptocurrency accounts that received approximately $465,000 in proceeds related to credential stuffing attacks and the sale of compromised accounts.

A Significant Theft

Collectively, Austad, Stokes, Garrison, and other potential co-conspirators are estimated to have stolen approximately $600,000 from roughly 1,600 victim accounts. This staggering figure highlights the substantial financial impact that such cybercrimes can have.

Austad and Stokes, who were arrested on January 29, now face a series of serious charges, including conspiracy to commit computer intrusion, unauthorized access to a computer, wire fraud, wire fraud conspiracy, and aggravated identity fraud. If found guilty, they could be looking at up to 20 years in prison.

The case of Nathan Austad and Kamerin Stokes serves as a stark reminder of the constant threat posed by cybercriminals and the need for individuals and organizations to remain vigilant in protecting their digital assets and personal information.

Read more