DraftKings hacker sentenced to 30 months for credential stuffing scheme

Security Affairs reports that Kamerin Stokes, also known as "TheMFNPlug," has been sentenced to 30 months in prison for his involvement in a large-scale credential stuffing attack against DraftKings. The 23-year-old from Memphis was also ordered to pay over $1.4 million in fines and restitution for selling stolen login credentials online.

In November 2022, attackers utilized a credential stuffing method, employing vast lists of stolen usernames and passwords acquired from the dark web to infiltrate DraftKings accounts. This attack targeted users who reused credentials across multiple platforms, successfully compromising approximately 60,000 accounts. The perpetrators exploited this by adding new payment methods, making small deposits to verify them, and then draining the full balances into their own controlled accounts.

Stokes, operating his own online shop, sold access to these compromised DraftKings accounts, valued at over $125,000. He continued his illicit activities even after pleading guilty, reopening his shop and promoting it with the slogan "fraud is fun."

Source: Security Affairs