Facing charges for orchestrating a credential stuffing assault that led to unauthorized entry into numerous user accounts on a fantasy sports and betting platform, two more individuals find themselves under indictment.
Nathan Austad, a 19-year-old from Farmington, Minnesota, and Kamerin Stokes, a 21-year-old from Memphis, Tennessee, are alleged culprits in the compromise of accounts. They purportedly exploited usernames and passwords gleaned from previous data breaches and sought to peddle entry to these accounts.
A third collaborator, Joseph Garrison, was formally charged on May 18, 2023, for his involvement in the plot. Garrison surrendered on the same day, later pleading guilty in November. His sentencing is scheduled for February 1.
Although the FBI complaint (PDF) doesn’t explicitly name the targeted website, signs point to DraftKings, a platform that disclosed nearly 60,000 user accounts falling victim to a credential stuffing assault in November 2022.
Legal documents indicate that in the same month of 2022, Austad and Garrison infiltrated around 60,000 user accounts on the designated fantasy sports and betting platform.
Through the addition of a fresh payment method, the accused managed to withdraw all existing funds from the accounts of unsuspecting victims.
The perpetrators allegedly bulk-sold access to the compromised accounts via various underground marketplaces, some of which they directly administered.
As per the complaint, Stokes, overseeing his own marketplace, procured access to multiple accounts in bulk from Garrison. Stokes, through Instagram, advertised the compromised accounts, obtained through Garrison, with a cumulative value surpassing $125,000.
Further revelations in the complaint outline Austad’s communication with fellow conspirators about the ongoing investigation into the cyberattack, demonstrating his awareness of the fraudulent activities he was engaged in.
Employing artificial intelligence image generation tools, Austad crafted visuals to promote his stash of pilfered user accounts. He also managed cryptocurrency accounts, accumulating approximately $465,000 from proceeds linked to credential stuffing attacks and the trade of compromised accounts.
Collectively, Austad, Stokes, Garrison, and accomplices are estimated to have embezzled roughly $600,000 from around 1,600 victim accounts.
Arrested on January 29, Austad and Stokes now face charges including conspiracy to commit computer intrusion, unauthorized access to a computer, wire fraud, wire fraud conspiracy, and aggravated identity fraud. If proven guilty, they could be sentenced to up to 20 years in prison.