Posted on: April 20, 2026, 05:49h.
Last updated on: April 20, 2026, 05:49h.
- Hackers accessed DraftKings accounts using stolen login credentials
- Fraudsters added payment options and used small deposits to verify access
- Incident highlights rising risks in online betting account security
A Memphis, Tenn. man has been sentenced to 30 months in federal prison for his role in the November 2022 DraftKings hack that saw more than 60K accounts compromised and more than $600K stolen.
Kamerin Stokes, 23, aka “TheMFNPlug,” pleaded guilty almost two years ago to one count of conspiring to commit computer intrusion, according to the US Attorney’s Office for the Southern District of New York.
Along with his prison term, Stokes also faces three years of supervised release and has been ordered to pay $125,965.53 in forfeiture and $1,327,061 in restitution for his role in a credential-stuffing attack that caused DraftKings’ shares to fall 5% on the Nasdaq.
What is Credential Stuffing?
Credential stuffing is a type of cyberattack in which criminals use usernames and passwords stolen in unrelated data breaches and test them, often automatically at scale, against other websites. When users have reused the same credentials, attackers can gain access to their accounts without breaching the target company’s systems.
The hack caused a stock plunge because DraftKings had only recently launched its mobile sportsbook in many US markets and investors feared a drop-off in consumer confidence.
In this case, Stokes used automated tools to identify valid logins to betting accounts, which were then sold to others on the dark web who exploited them to withdraw funds.
Among them was a Madison, Wis. teenager named Jospeh Garrison, who once bragged to a coconspirator that “fraud is fun.”
Once Garrison and his accomplices accessed the DraftKings accounts, they were able to add new payment methods and then deposit $5 to verify them. This enabled them to withdraw all of the funds from the account.
‘Obsessed With Fraud’
Garrison, who claimed to be “addicted to seeing money in my account” and “obsessed with bypassing shit” made $2.1 million from cyberfraud by the time he was 18, according to federal prosecutors. He pleaded guilty to conspiracy to commit computer intrusion in November 2023 and in January 2024 was sentenced to 18 months in prison.
A third defendant, Nathan Austad, pleaded guilty in December 2025 and awaits sentencing.
After his plea, Stokes appropriated Garrison’s “fraud is fun” tagline, reviving his “shop” under that name. He said he had to reopen it because “gotta pay my attorneys.”
“Fraud is not fun,” federal prosecutors clarified in a news release. “Fraud on the street or fraud online will not be tolerated. Today’s federal prison sentence is a direct message to any others who think online fraud is different.”
Recent Comments