Man Sentenced to 30 Months for DraftKings Credential Stuffing Attack
AI-generated from multiple sources. Verify before acting on this reporting.
WASHINGTON — Kamerin Stokes was sentenced to 30 months in federal prison and ordered to pay $1.3 million in restitution on Thursday for his role in a 2022 cyberattack on the sports betting platform DraftKings.
The sentence, handed down in a U.S. District Court, marks the conclusion of a case involving a sophisticated credential stuffing operation that targeted millions of user accounts. Stokes, along with co-defendants Joseph Garrison and Nathan Austad, utilized automated tools to test stolen username and password combinations against the DraftKings login portal. The attack successfully compromised numerous accounts, allowing the group to withdraw funds before the breaches were detected.
Federal prosecutors stated that the defendants exploited credentials obtained from previous data breaches at other companies. By systematically entering these stolen credentials into DraftKings, the group bypassed security measures and gained unauthorized access to user wallets. The operation resulted in significant financial losses for the platform and its customers, prompting a coordinated investigation by federal authorities.
Stokes was found guilty of conspiracy to commit wire fraud and unauthorized access to a protected computer. The court ordered the restitution payment to cover the financial damages incurred by DraftKings and the affected users. The judgment also includes a period of supervised release following his prison term.
Joseph Garrison and Nathan Austad remain involved in the broader legal proceedings related to the incident. While Stokes has been sentenced, the status of the other defendants' cases continues to develop. Authorities have indicated that the investigation into the full scope of the cybercriminal network remains active.
The incident highlights the ongoing risks posed by credential stuffing attacks to financial and entertainment platforms. Security experts have noted that the reuse of passwords across multiple sites remains a critical vulnerability for consumers. DraftKings has since implemented additional security measures, including mandatory multi-factor authentication for all users.
The sentencing took place in the United States, with the case drawing attention from cybersecurity professionals and legal observers. The $1.3 million restitution order reflects the substantial financial impact of the attack on the company and its customers.
Questions remain regarding the full extent of the compromised data and whether other similar attacks are currently underway. Federal authorities have not disclosed the total number of accounts affected or the specific methods used to distribute the stolen funds. The case serves as a reminder of the persistent threat posed by organized cybercrime groups targeting digital platforms.
Stokes is expected to begin his prison term immediately following the sentencing. The restitution order will be enforced through federal collection procedures, with payments directed to the victims of the fraud. The legal process for Garrison and Austad is expected to continue in the coming months, with further details likely to emerge as the cases proceed through the judicial system.