Two individuals, Nathan Austad, 19, of Farmington, Minnesota, and Kamerin Stokes, 21, of Memphis, Tennessee, have been indicted for their roles in the November 2022 DraftKings cyberattack. They allegedly misused the illegally obtained data for personal gain, selling confidential information and inflicting damage on the operator and its clients. Joseph Garrison, a third co-conspirator, has already pleaded guilty.
The FBI Presented Substantial Evidence
Austad and Stokes, arrested on 29 January, face charges including conspiracy to commit computer intrusion, unauthorized access to a computer, wire fraud, wire fraud conspiracy, and aggravated identity fraud. If convicted, they could face up to 20 years in prison. Their attack targeted roughly 60,000 DraftKinds accounts, gaining illegal access via other data breaches.
The attackers used various tactics, including registering new payment methods, to withdraw funds from victim accounts. They also sold access to the compromised accounts in bulk through underground shops, some of which they directly controlled. Stokes reportedly purchased access to accounts in bulk from Joseph Garrison, a third co-conspirator, amounting to over $125,000 in total value, and sold them via his online shop.
Stokes advertised the compromised accounts on his shop through Instagram, contributing to the FBI’s investigation into the case. Authorities highlighted Austad’s use of artificial intelligence image generation tools to create images promoting his shop of stolen user accounts. Additionally, he managed cryptocurrency wallets that received approximately $465,000 in proceeds from credential-stuffing attacks and the sale of compromised data.
Gambling Operators Must Swiftly Adapt to Such Threats
Joseph Garrison, a core member of the hacking group, was indicted on 18 May 2023 for his involvement in the scheme. Garrison had already surrendered and pleaded guilty in November, awaiting sentencing on 1 February. Austad, Stokes, Garrison, and other collaborators are estimated to have collectively stolen about $600,000 from approximately 1,600 victim accounts.
DraftKings has reimbursed all the stolen money from customers, noting that the security of clients’ personal and financial information was vital to the company. The operator is another high-profile victim of cyberattacks and has taken extensive measures to prevent similar occurrences. Such attacks can have more than just a financial cost, damaging the company’s reputation.
Cyberattacks are growing increasingly more sophisticated, targeting all manner of businesses and posing a great risk to economic security.
FBI Assistant Director in Charge James Smith
This incident highlights the ongoing threats and challenges for online platforms, especially those in the gambling and fantasy sports sectors. Credential stuffing attacks remain a significant risk, emphasizing the need for robust security measures and user education to prevent unauthorized access to accounts. Hopefully, more operators will take notice of this case and take preemptive action, ensuring the safety of their customers.