Listen to this Post
Introduction
The long-running legal fallout from one of the most significant account takeover campaigns targeting the online betting industry has reached another milestone. A third individual involved in the 2022 cyberattack against DraftKings has now been sentenced, reinforcing a growing trend of aggressive law enforcement action against financially motivated cybercrime.
The case highlights how stolen credentials from unrelated breaches continue to fuel large-scale attacks against online platforms. While cybercriminals often believe they can remain anonymous behind cryptocurrencies, online aliases, and underground marketplaces, this investigation demonstrates that digital footprints can eventually lead authorities directly to the perpetrators.
The sentencing of Nathan Austad marks the latest chapter in a cybercrime operation that compromised thousands of customer accounts and generated hundreds of thousands of dollars in illegal profits.
Third Hacker Receives Prison Sentence
The United States Department of Justice announced that Nathan Austad, known online by the alias “Snoopy,” has been sentenced for his involvement in the 2022 credential-stuffing attack that targeted DraftKings.
Although prosecutors did not officially identify the victim company by name in their announcement, the details provided closely align with the widely reported DraftKings breach that occurred in late 2022.
Austad previously pleaded guilty in December 2025 and has now been sentenced to 18 months in federal prison. In addition to incarceration, he will serve three years of supervised release following his sentence.
The court also ordered him to pay approximately $1.8 million in restitution and forfeiture, reflecting the financial damage associated with the criminal operation.
How the Attack Worked
The attack was not the result of a sophisticated zero-day vulnerability or advanced malware campaign. Instead, the criminals relied on a technique known as credential stuffing.
Credential stuffing occurs when attackers obtain usernames and passwords leaked from previous data breaches and then automatically test those credentials across multiple websites and services.
Because many users reuse passwords across different platforms, attackers often succeed in gaining unauthorized access without ever needing to crack a password.
In the DraftKings incident, cybercriminals leveraged credentials stolen from unrelated breaches and successfully accessed more than 60,000 user accounts.
Once inside those accounts, they exploited available balances and withdrawal mechanisms to extract funds directly from victims.
This attack serves as another reminder that password reuse remains one of the most persistent security weaknesses affecting consumers worldwide.
Thousands of Accounts Impacted
According to federal prosecutors, Austad and his accomplices stole roughly $600,000 from approximately 1,600 compromised DraftKings accounts.
The financial impact extended beyond immediate theft. Victims often faced account recovery challenges, identity concerns, and disruptions to their online betting activities.
For affected users, the attack represented more than a monetary loss. It demonstrated how a compromised password from an unrelated breach can suddenly expose entirely different online accounts years later.
The scale of the attack also underscored the risks facing digital gaming and betting platforms, which routinely manage significant financial transactions and maintain large user bases.
Criminal Marketplace Operations
Investigators revealed that Austad was involved in more than simply accessing compromised accounts.
Authorities discovered that he operated a website dedicated to selling unauthorized access to stolen accounts.
Such marketplaces have become a cornerstone of modern cybercrime ecosystems, enabling specialized criminals to monetize stolen data without directly exploiting every compromised account themselves.
By selling account access, cybercriminals effectively create secondary criminal markets where other actors can purchase and exploit victims for additional fraud.
Federal investigators also traced cryptocurrency wallets linked to Austad.
Those wallets reportedly contained approximately $465,000, including proceeds connected to the criminal activity.
The discovery further demonstrates how cryptocurrency transactions, while often perceived as anonymous, can frequently be traced through blockchain analysis and forensic investigations.
Other Members of the Group Already Sentenced
Austad was not the only individual prosecuted in connection with the DraftKings attack.
Kamerin Stokes received a prison sentence of 30 months in April 2026 for his participation in the scheme.
Another participant, Joseph Garrison, was sentenced earlier in 2024 and received an 18-month prison term.
Together, the three cases illustrate a coordinated effort by federal authorities to pursue every identified member of the criminal operation.
Rather than focusing solely on major organizers, investigators targeted all individuals who contributed to the attack’s execution and monetization.
This approach reflects a broader shift toward dismantling entire cybercriminal ecosystems rather than prosecuting isolated offenders.
Criminal Confidence Turned Into Evidence
One of the most revealing aspects of the case involved communications exchanged among the defendants.
Authorities disclosed messages indicating that the participants were fully aware their activities were illegal.
Even more striking was the apparent confidence displayed by the group during the commission of their crimes.
According to prosecutors, the defendants discussed the ongoing federal investigation while continuing their criminal activities and reportedly expressed confidence that law enforcement would be unable to stop them.
Those communications ultimately became powerful evidence supporting the prosecution.
The case serves as another example of how digital conversations frequently become a critical source of intelligence during cybercrime investigations.
DOJ Sends a Strong Message
Federal officials emphasized that the outcome demonstrates the government’s commitment to protecting online financial ecosystems.
US Attorney Jay Clayton stated that the defendants openly dismissed the possibility of meaningful law enforcement action, only to discover that federal agencies were capable of tracing their activities and holding them accountable.
The successful prosecution involved cooperation between the Department of Justice, the FBI, and multiple investigative partners.
Their work resulted not only in convictions but also in the recovery and forfeiture of criminal proceeds.
For law enforcement agencies, the case represents an important victory against account takeover fraud and cyber-enabled financial theft.
The Growing Threat of Credential-Stuffing Attacks
Credential-stuffing attacks continue to be one of the most effective forms of cybercrime because they exploit human behavior rather than technical vulnerabilities.
Organizations spend millions securing infrastructure, deploying endpoint protection, and monitoring networks. Yet a single reused password can undermine those investments.
Attackers increasingly automate these operations using botnets and large credential databases collected from previous breaches.
Industries handling financial transactions remain especially attractive targets because successful account compromises can quickly translate into direct monetary gains.
As online betting, gaming, banking, and fintech services continue expanding, credential-stuffing campaigns are expected to remain a major threat.
Companies are increasingly deploying multi-factor authentication, behavioral analytics, risk-based authentication, and bot detection systems to counter these attacks.
However, user awareness remains equally important. Strong, unique passwords and multi-factor authentication continue to be among the most effective defenses against account takeover fraud.
What Undercode Say:
The DraftKings case is a textbook example of modern cybercrime economics.
This attack did not rely on advanced nation-state capabilities.
Instead, it exploited one of the oldest weaknesses in cybersecurity: password reuse.
The breach demonstrates how criminal success often depends more on user behavior than technical sophistication.
Credential stuffing remains highly profitable because leaked credentials are abundant.
Billions of stolen usernames and passwords circulate within underground communities.
Attackers no longer need to breach companies directly.
They simply weaponize previously leaked data.
The operation also highlights the industrialization of cybercrime.
Each participant played a specialized role.
Some obtained credentials.
Others managed automation tools.
Others handled monetization.
This mirrors legitimate business supply chains.
Cybercrime today operates as a mature underground economy.
The discovery of account-selling infrastructure is particularly significant.
Rather than stealing funds directly from every account, criminals increasingly sell access.
This lowers risk while creating additional criminal opportunities.
The cryptocurrency findings are equally important.
Many offenders still assume blockchain transactions provide complete anonymity.
Modern forensic analysis proves otherwise.
Investigators can reconstruct transaction paths with remarkable accuracy.
The sentencing also sends a strong deterrent message.
Online aliases offer limited protection against determined investigations.
Historical chat logs, cryptocurrency records, server logs, and marketplace activity often create extensive evidence trails.
Another notable lesson involves organizational defense strategies.
Companies can no longer rely solely on passwords.
Multi-factor authentication should be considered mandatory for financial services.
Behavioral monitoring is becoming equally critical.
Abnormal login locations.
Impossible travel events.
Unusual withdrawal patterns.
Mass authentication attempts.
All should trigger automated investigation.
The DraftKings incident also reflects a larger cybersecurity trend.
Attackers increasingly prefer lower-risk, higher-volume fraud operations.
Rather than developing expensive exploits, they leverage already available stolen credentials.
This provides excellent return on investment for criminals.
For defenders, reducing password reuse remains one of the most impactful security improvements.
The broader lesson is simple.
The easiest attack path frequently becomes the most profitable one.
Until password reuse declines significantly, credential-stuffing attacks will remain a persistent challenge across nearly every online industry.
Deep Analysis: Linux Commands and Security Investigation Perspective
Cybersecurity investigators examining credential-stuffing incidents often rely on forensic and log-analysis techniques supported by Linux tools.
grep "failed login" auth.log
Used to identify suspicious authentication attempts.
awk '{print $1}' access.log | sort | uniq -c
Helps detect repeated access patterns from specific sources.
netstat -ant
Displays active network connections during incident response.
ss -tulnp
Provides detailed socket and service information.
journalctl -xe
Useful for reviewing authentication and service-related logs.
last
Displays historical login records.
lastb
Shows failed login attempts.
cat access.log | grep POST
Can reveal automated login activity.
tcpdump -i eth0
Captures network traffic for investigation.
whois <ip-address>
Assists with attribution and network ownership analysis.
sha256sum evidence.file
Verifies forensic evidence integrity.
find /var/log -type f
Locates relevant system logs.
ps aux
Identifies suspicious running processes.
lsof -i
Shows active network-connected applications.
fail2ban-client status
Reviews blocked IP addresses associated with brute-force attempts.
These commands represent the types of investigative methods security teams may use when responding to large-scale credential-stuffing campaigns similar to the DraftKings attack.
✅ Federal authorities confirmed Nathan Austad received an 18-month prison sentence along with supervised release and financial penalties.
✅ Approximately 1,600 compromised accounts were reportedly used to steal around $600,000 according to court and DOJ findings.
✅ Multiple participants connected to the operation have now been convicted and sentenced, demonstrating a documented law enforcement investigation rather than allegations or unverified claims.
Prediction
(+1) More betting and fintech platforms will deploy mandatory multi-factor authentication to reduce account takeover risks.
(+1) Law enforcement agencies will continue expanding cryptocurrency tracing capabilities, increasing the likelihood of future cybercriminal arrests.
(+1) Behavioral analytics and AI-driven fraud detection systems will become standard defenses against credential-stuffing campaigns.
(-1) Password reuse by consumers will continue providing opportunities for similar attacks across multiple industries.
(-1) Underground marketplaces selling compromised accounts are likely to remain active despite increased enforcement actions.
(-1) Credential databases from historical breaches will continue fueling account takeover operations for years to come.
▶️ Related Video (84% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.securityweek.com
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
