CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Credential Stuffing Attack on Fantasy Sports Betting Platform

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A credential stuffing attack on a fantasy sports betting platform compromised nearly 68,000 accounts and resulted in financial losses exceeding $635,000. Three defendants—Nathan Austad, Joseph Garrison, and Kamerin Stokes—have pleaded guilty or been sentenced in connection with the breach. Austad and Garrison used stolen credentials from multiple breaches to gain unauthorized access, sell compromised accounts, and launder proceeds totaling over $2.1 million. Stokes, who resold access in bulk, was sentenced to 30 months in prison and ordered to pay over $1.45 million in restitution and forfeiture after reopening his criminal enterprise despite prior guilty pleas and pretrial release violations. The attack occurred in November 2022 and exploited a new payment method and $5 deposit verification to drain funds rapidly. DraftKings subsequently refunded affected users. Investigations revealed coordinated operations spanning DraftKings, FanDuel, and Chick-fil-A accounts, with Stokes running online ‘shops’ for years prior to his arrest.

Timeline

  1. 15.12.2025 18:45 2 articles · 4mo ago

    Third Defendant Pleads Guilty in Fantasy Sports Betting Hack Case

    Nathan Austad, 21, of Farmington, Minnesota, pleaded guilty to conspiring to commit computer intrusion in connection with a credential stuffing attack on a fantasy sports and betting platform. The attack compromised over 60,000 user accounts, resulting in financial losses of approximately $600,000 from around 1,600 victims. Austad is the third defendant to plead guilty in this case, with sentencing scheduled for April 2026. Additional details confirmed: Kamerin Stokes of Memphis, Tennessee, was sentenced to 30 months in prison for selling access to tens of thousands of hacked DraftKings accounts. The accounts were hijacked by Austad (aka Snoopy) with the help of Joseph Garrison in a November 2022 credential-stuffing attack that compromised nearly 68,000 DraftKings accounts. Austad and Garrison used credentials stolen in multiple breaches to hack into DraftKings accounts and sold access to others who stole around $635,000 from roughly 1,600 compromised accounts. They made over $2.1 million selling hijacked accounts through their own shops and in bulk to Stokes. DraftKings refunded hundreds of thousands of dollars stolen from hacked accounts after funds were withdrawn following the addition of a new payment method and a $5 deposit to verify its validity. Stokes reopened his shop with a 'fraud is fun' tagline after pleading guilty and being released awaiting trial, violating pretrial release conditions, and was ordered to pay $1,327,061 in restitution and $125,965.53 in forfeiture.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Massive FanDuel Fraud Scheme Using Stolen Identities

Two Connecticut men, Amitoj Kapoor and Siddharth Lillaney, have been charged with defrauding FanDuel and other online gambling sites of $3 million over several years using stolen identities of approximately 3,000 victims. The scheme involved purchasing stolen personally identifiable information (PII) from darknet markets and Telegram, creating fraudulent accounts, and exploiting promotional bonuses. The defendants used background-check services to verify identities and organized stolen data in a spreadsheet. They transferred winnings to virtual stored-value cards and moved fraudulent proceeds to their bank and investment accounts. The indictment was returned by a federal grand jury in New Haven on February 3, 2026, and the defendants were released on a $300,000 bond each pending further proceedings.

Open in new tab

Jordanian Cybercriminal Admits Selling Access to 50 Enterprise Networks

Feras Khalil Ahmad Albashiti, a 40-year-old Jordanian national residing in Georgia, pleaded guilty in a US court to selling unauthorized access to at least 50 compromised enterprise networks. The access was sold to an undercover agent on an underground cybercriminal forum. Albashiti, known online as 'r1z,' received payment in cryptocurrency. He faces up to 10 years in prison and a $250,000 fine, with sentencing scheduled for May 11, 2026. The Justice Department's Office of International Affairs secured Albashiti's extradition from Georgia in July 2024. Initial access brokers like Albashiti are critical middlemen in the cybercrime ecosystem, providing other threat actors with the credentials needed to breach victims' networks and drop malicious tools to steal data, deploy ransomware, or conduct espionage.

Open in new tab