Two more indicted in DraftKings credential stuffing incident

Charlie Brown and Snoopy
Image: Shutterstock / Mercury Green

The Department of Justice has formally indicted two more men on charges relating to the 2022 credential stuffing attack on DraftKings customers.

Nathan Austad, a 19-year-old from Minnesota, and Kamerin Stokes, a 21-year-old from Memphis, TN have been charged with conspiracy to commit computer intrusion and five other fraud-related charges.

Joseph Garrison of Wisconsin plead guilty to one count of conspiracy to commit computer intrusion in November.

“Cyberattacks are growing increasingly more sophisticated, targeting all manner of businesses and posing a great risk to economic security.  Nathan Austad and Kamerin Stokes were allegedly part of a cyber intrusion that resulted in hundreds of thousands of dollars being stolen from victims’ accounts.   As these defendants found out, if you conduct a cyberattack for profit, you can bet the FBI can and will bring you to justice,” said FBI Assistant Director in Charge James Smith.

Per the complaint, Austad and Stokes conspired with Garrison to hack and sell access to more than 1,600 DraftKings account and over $600,000 in stolen funds.

Austad helped Garrison bypass the two-factor authentication mechanism on player accounts and also sold some of the accessed accounts on the dark web using his online handle, Snoopy.

Not long after Garrison plead guilty to his charge, Austad allegedly used his computer to prompt artificial intelligence to make a number of Snoopy-related images conveying that he had gotten away with the crime, including a “hyper realistic snoopy designed jet but instead of smoke trails it has money trails” and a “100 bill hyper realistic but instead of the president it is snoopy.”

“As alleged, Nathan Austad and Kamerin Stokes were involved a scheme to hack into the accounts of tens of thousands of victims and then to sell access to those stolen accounts online.  Our office is relentless in tracking down the perpetrators of cybercrime.  Earlier this month, we announced an SDNY Whistleblower Pilot Program to encourage early and voluntary self-disclosure of criminal activity.  To all cybercriminals: call us before we call you,” said U.S. Attorney Damian Williams.

The FBI also found evidence of Stokes’s involvement on his computer and social media, including posts where he was bragging about successfully depleting customer accounts of their balances.

Both Austad and Stokes were arrested and arraigned on Monday.