As outlined in the unsealed criminal complaint, the plan involved an 18 November “credential stuffing attack”, which ultimately saw $600,000 stolen from 1,600 accounts. The two face a maximum of 57 years in prison for the offences.
The scheme saw Austad and the already charged Joseph Garrison collect username password pairs obtained in data breaches and made available for sale on the dark web.
The individuals then systemically applied the stolen credentials on DraftKings to obtain access. This was followed by attempts to sell access into the compromised accounts or directly steal the deposited money.
“As alleged, Nathan Austad and Kamerin Stokes were involved a scheme to hack into the accounts of tens of thousands of victims and then to sell access to those stolen accounts online,” said SDNY US attorney Damian Williams.
“Our office is relentless in tracking down the perpetrators of cybercrime. Earlier this month, we announced an SDNY Whistleblower Pilot Program to encourage early and voluntary self-disclosure of criminal activity. To all cybercriminals: call us before we call you.”
60,000 DraftKings account compromised
Through this “credential stuffing” method, Austad and Garrison successfully accessed 60,000 DraftKings accounts.
Once inside they were able to steal funds stored in the accounts. This was done by adding a new payment method and depositing $5 to verify, which allegedly enabled the individuals to withdraw funds using the newly added method.
Prosecutors said access to the accounts was sold on several websites that traffic stolen accounts, colloquially known as ‘shops’.Austad and Garrison sold some accounts on shops they directly controlled, including Austad’s shop named after comic strip character Snoopy.
The two then sold the details to the comprised accounts in bulk. Stokes was charged with purchasing a bulk order from the two with the intent to sell on account details from his own shop.
“Everyone knows their committing fraud”
Around 2 December, Austad messaged his co-conspirators about the existence of the FBI investigation into the fraud.
“everyone 3hould’ve been prepared for this before cashing out lol,” he wrote.
“lol fbi can’t do shit,” replied an unnamed user.
“like we I know the risk when we started lol . . . everyone knows their [sic] committing fraud,” added Austad in May 2023.
Prosecutors also detailed how Austad used AI tools to generate images using the following prompts:
“8k hyper-realistic digital art snoopy hacking into 8k hyper-realistic computer with hacker stuff on the screen,” “8k hyper realistic snoopy designed jet but instead of smoke trails it has money trails,” and, “100 bill hyper realistic but instead of the president its snoopy.”
Garrison pleaded guilty on November 15 2023. His sentencing is scheduled for 1 February in front of US district judge Lewis A. Kaplan.
“Cyberattacks are growing increasingly more sophisticated, targeting all manner of businesses and posing a great risk to economic security,” said FBI assistant director in charge James Smith.
“Nathan Austad and Kamerin Stokes were allegedly part of a cyber intrusion that resulted in hundreds of thousands of dollars being stolen from victims’ accounts. As these defendants found out, if you conduct a cyberattack for profit, you can bet the FBI can and will bring you to justice.”