Posted on: January 30, 2024, 08:47h.
Last updated on: January 30, 2024, 09:17h.
Two additional men were arrested on Monday for hacking DraftKings accounts and then stealing about $635K from customers, according to federal prosecutors and press reports.
In total, some 60K accounts were successfully compromised on the sports betting site in 2022. Funds were taken from approximately 1,600 accounts.
By using a scheme known as a “credential stuffing attack,” the hackers got access to the site after employing a large list of credentials stolen from earlier data breaches.
Credential Stuffing Explained
Federal prosecutors explained that a credential stuffing attack is when someone “collects stolen credentials, or username and password pairs, obtained from other large-scale data breaches of other companies, which can be purchased on the dark web.”
The threat actor then systematically attempts to use those stolen credentials to obtain unauthorized access to accounts held by the same user with other companies and providers, in order to compromise accounts where the user has maintained the same password,” the feds added.
One of the arrested suspects is Nathan Austad, 19, of Farmington, Minn., whose online alias is “Snoopy,” (from the Peanuts cartoon). He was arrested in Minnesota.
Also arrested was Kamerin Stokes, 21, of Memphis, Tenn., who has the alias of “TheMFNPlug.”
A criminal complaint explained that illegal access to the victims’ accounts was sold on websites called “shops.” Austad’s shop was named after “Snoopy” the dog character from the Peanuts comic strip.
The suspects appear to have realized they could be subject to investigation. In May 2023, Austad sent out a message saying, “everyone knows their [sic] committing fraud.”
In December 2022, an unnamed co-conspirator in the plot texted, “lol fbi can’t do s**t.”
Numerous Charges
Both suspects appeared in federal court on Monday. If convicted, they could face decades in prison.
They are each charged with conspiracy to commit computer intrusions, unauthorized access to a protected computer to further intended fraud, unauthorized access to a protected computer, wire fraud conspiracy, wire fraud, and aggravated identity theft.
In addition, Austad allegedly had accounts containing about $465K worth of cryptocurrency, authorities said. It appeared the amounts placed in the accounts were from the credential stuffing attacks and proceeds from the sale of stolen accounts.
Prior Defendant to Be Sentenced
In November, a third defendant, Joseph Garrison, 19, of Madison, Wis., pled guilty in Manhattan federal court to conspiracy to commit computer intrusion. On Thursday, he’s scheduled to be sentenced by US District Judge Lewis A. Kaplan. Garrison faces up to five years in prison.
He once told one of his conspirators in an online message that “fraud is fun,” prosecutors said.
But federal officials are taking the case seriously.
“Our office is relentless in tracking down the perpetrators of cybercrime,” Manhattan US Attorney Damian Williams said in a statement announcing the two recent arrests.
Source link