In a recent indictment, Nathan Austad, a 19-year-old resident of Farmington, Minnesota, and Kamerin Stokes, aged 21, hailing from Memphis, Tennessee, have been implicated in the DraftKings cyberattack in November 2022. The assertation includes the illegal acquisition and subsequent utilization of data for personal profit, selling confidential details and thus causing considerable harm to the company and its clientele. Joseph Garrison, another collaborator in this venture, has already entered a plea of guilt.
Demonstrable Evidence Presented by the FBI
Austad and Stokes, apprehended on the 29th of January, are charged with numerous crimes such as computer intrusion conspiracy, unauthorized computer access, wire fraud, wire fraud conspiracy, and severe identity fraud. The possibility of a conviction could result in a prison sentence of up to 20 years. The cyberattack they executed targeted roughly 60,000 accounts on DraftKings, attaining unlawful permission through other data breaches.
The culpable parties employed a range of strategies, like introducing new payment channels, to extract funds from the accounts of victims. They also traded access rights to the breached accounts en masse through illicit markets, some of which they managed directly. Stokes allegedly procured access rights to several accounts in bulk from Joseph Garrison, the third alleged co-conspirator, with a cumulative worth surpassing $125,000, and put them up for sale on his web-based storefront.
Stokes made use of Instagram for advertising the compromised accounts, aiding the FBI in their investigation of the case. Austad attracted the attention of authorities due to his use of artificial intelligence image creation software to generate promotional images for his shop compiling stolen account data. Additionally, he was found to have operated cryptocurrency wallets that gathered around $465,000 in profit from credential-stuffing attacks and the sale of hijacked data.
Pressing Need for Gambling Operators to Respond Promptly to Such Threats
Joseph Garrison, a principal participant in the hacking syndicate, was indicted on the 18th of May 2023 due to his role in the conspiracy. Having voluntarily surrendered and pled guilty in November, Garrison is awaiting his sentencing on the 1st of February. The collective amount stolen by Austad, Stokes, Garrison, and their co-conspirators is estimated to be around $600,000, affecting roughly 1,600 individual accounts.
DraftKings has fully compensated the stolen amounts to the affected customers, underlining the company’s commitment to preserving the security of their clients’ personal and financial information. Being a high-profile casualty of cyberattacks, the operator has implemented comprehensive preventive measures against similar future intrusions. Such attacks are particularly damaging, as they impact not just financial resources, but also the company’s reputation.
With the increasing sophistication of cyberattacks that target a wide range of businesses, there is an escalating risk to our economic security.
FBI Assistant Director in Charge James Smith
This incident underscores the continual threats to and challenges faced by online platforms, especially within the gambling and fantasy sports industry. Credential stuffing attacks are a substantial risk, underscoring the necessity of robust security protocols and raising user awareness to prevent unauthorized access to accounts. Operators need to heed the lessons from this case and take proactive steps towards customer protection.
