Full Report
23-year-old Kamerin Stokes of Memphis, Tennessee, was sentenced to 30 months in prison for selling access to tens of thousands of hacked DraftKings accounts. [...]
Analysis Summary
# Incident Report: Massive Credential Stuffing Attack Against DraftKings
## Executive Summary
In November 2022, DraftKings was targeted in a massive credential-stuffing attack that led to the compromise of approximately 68,000 user accounts. Threat actors leveraged credentials stolen from previous third-party breaches to hijack accounts, exfiltrated approximately $635,000 in customer funds, and resold account access through illicit online "shops." Kamerin Stokes, a primary reseller in this scheme, was sentenced to 30 months in prison after laundering the illicit access and continuing criminal operations while on pretrial release.
## Incident Details
- **Discovery Date:** November 2022
- **Incident Date:** November 2022
- **Affected Organization:** DraftKings (Secondary impacts to FanDuel and Chick-fil-A)
- **Sector:** Online Sports Betting / Entertainment
- **Geography:** United States (Attacker based in Memphis, TN)
## Timeline of Events
### Initial Access
- **Date/Time:** November 2022
- **Vector:** Credential Stuffing
- **Details:** Attackers Nathan Austad and Joseph Garrison utilized automated tools and lists of usernames/passwords leaked from unrelated historical data breaches to attempt logins on the DraftKings platform.
### Lateral Movement
- **Details:** Not applicable in a traditional network sense; attackers moved "horizontally" across thousands of individual user accounts rather than deep into the corporate infrastructure.
### Data Exfiltration/Impact
- **Financial Theft:** Attackers added new payment methods to 1,600 accounts, performed $5 verification deposits, and subsequently withdrew a total of $635,001.
- **Bulk Sale:** Access to the 68,000 accounts was sold to resellers, including Kamerin Stokes ("TheMFNPlug"), who marketed them via illicit web shops.
### Detection & Response
- **Detection:** DraftKings identified a surge in fraudulent withdrawals and unauthorized account logins in late 2022.
- **Response Actions:** The organization refunded victims, reset passwords, and cooperated with the FBI/DOJ, leading to the arrests of Garrison, Austad, and Stokes.
## Attack Methodology
- **Initial Access:** Credential Stuffing (using stolen lists from unrelated breaches).
- **Persistence:** Maintaining control of accounts by selling access to third parties via dedicated "shops."
- **Privilege Escalation:** Not applicable; access was limited to user-level permissions.
- **Defense Evasion:** Use of "verification deposits" ($5) to validate new payment methods without triggering immediate high-value fraud alerts.
- **Credential Access:** Purchase/acquisition of "combo lists" from past data breaches.
- **Discovery:** Identifying accounts with high balances for immediate "cash-out" operations.
- **Lateral Movement:** N/A.
- **Collection:** Aggregating account credentials and balance information.
- **Exfiltration:** Transferring funds via newly added fraudulent payment methods.
- **Impact:** Financial loss to customers and DraftKings; mass data exposure.
## Impact Assessment
- **Financial:** ~$635,000 stolen from users; $1.3M+ in restitution ordered; $2.1M in total illicit sales generated by the group.
- **Data Breach:** Compromise of nearly 68,000 accounts including personal betting data.
- **Operational:** Significant resources required for account restoration and manual refund processing.
- **Reputational:** Publicized security failure requiring a major "sports betting giant" to issue public warnings and refunds.
## Indicators of Compromise
- **Behavioral Indicators:**
- High-volume login attempts from disparate IP addresses (consistent with credential stuffing).
- Pattern of adding a new payment method followed immediately by a small ($5) deposit and a total balance withdrawal.
- **Online Presence:**
- Illicit shops operated by "TheMFNPlug" and "Snoopy."
## Response Actions
- **Containment Measures:** DraftKings forced password resets for affected users and blocked suspicious IP ranges.
- **Eradication Steps:** Legal action led to the shutdown of the illicit "shops" reselling the credentials.
- **Recovery Actions:** DraftKings refunded hundreds of thousands of dollars to affected customers.
## Lessons Learned
- **Password Reuse:** The success of the attack relied entirely on users reusing passwords across multiple platforms.
- **MFA Criticality:** Accounts without Multi-Factor Authentication (MFA) were the primary targets.
- **Pretrial Supervision:** The defendant (Stokes) relapsed into criminal activity ("Fraud is Fun" shop) while awaiting trial, highlighting the need for stricter digital monitoring of cyber-offenders.
## Recommendations
- **Enforce MFA:** Mandatory Multi-Factor Authentication for all accounts with financial links.
- **Credential Screening:** Implement services that check user passwords against known breached credential databases at the time of account creation or login.
- **Rate Limiting:** Enhance bot detection and rate-limiting to identify and block credential-stuffing patterns.
- **Withdrawal Cooling Periods:** Implement a mandatory "cooling off" period when a new payment method is added before large withdrawals can be made.