Deputy Editor
A 21-year-old hacker who contributed to a group effort that reportedly stole about $600,000 from around 1,600 compromised DraftKings accounts has pleaded guilty to computer intrusion conspiracy. He faces up to a five-year prison sentence, though at least one co-conspirator in the case has already received a much lesser sentence.
Nathan ‘Snoopy’ Austad, of Minnesota, admitted in court that he helped engineer a “credential stuffing” attack on DraftKings in November 2022.
His co-conspirators, Kamerin Stokes and Joseph Garrison, have already pleaded guilty. Garrison received an 18-month prison sentence. He also received a three-year supervised release and was ordered to pay back more than $1.4 million.
Austad will receive his sentencing on April 10, 2026.
Credential stuffing is a type of cyberattack wherein criminals use compromised log-in credentials from outside sources to access users’ accounts. The attacks rely on the individuals who own the accounts using the same usernames and/or passwords at different websites.
Users can protect themselves against credential stuffing attacks by varying their log-in credentials, as well as using multi-factor authentication.
DraftKings maintains that its own systems have not been compromised in the incident. However, it did admit that a much smaller-scale credential stuffing attack successfully gained access to around 30 user accounts in October.
Keep Reading
- DraftKings Prepares to Offer Prediction Markets Despite Regulators’ Warnings, But Will Steer Clear of Sports
- FanDuel and DraftKings Leave the American Gaming Association to Pursue Prediction Market Opportunities
- GhostRedirector: New SEO Fraud Scheme to Promote Online Gambling Believed to Originate From Chinese Hackers
How Hacker Group Stole $600K From DK Accounts
According to the FBI’s report, the hackers used a list of stolen log-in credentials obtained from data breaches at other websites. They reportedly purchased the stolen credentials on the darkweb.
Once they’d accessed the accounts, the hackers then deposited a small amount of money to verify a new payment method. Then, they drained the victims’ accounts using that same payment method.
While the hackers accessed more than 60,000 accounts successfully, the FBI listed about 1,600 victims. According to the FBI, they sold access to some of the accounts and received cryptocurrency as payments.
Security Week reported that Austad pocketed $465,000 in crypto from the scheme.
Image credit: Christoph Scholz/Flickr (license)
