Key Takeaways
- Nathan Austad ('Snoopy') received 18 months in prison for his role in the November 2022 DraftKings breach that compromised 60,000 accounts
- The hacking ring stole $600,000 by adding fraudulent payment methods to 1,600 victim accounts
- Austad must pay $463,684 in forfeiture and over $1.3 million in restitution
Nathan Austad, a 21-year-old Minnesota man who operated under the alias 'Snoopy,' was sentenced to 18 months in federal prison for his role in the November 2022 DraftKings cyberattack. The breach compromised 60,000 user accounts and resulted in $600,000 stolen from customers of the sports betting platform.
Austad pleaded guilty in December 2025 to conspiracy to commit computer intrusion. Beyond prison time, he faces three years of supervised release and must pay $463,684 in forfeiture plus $1,327,061 in restitution. The sentence matches what co-conspirator Joseph Garrison received in January 2024, while a third defendant, Kamerin Stokes ('TheMFNPlug'), drew 30 months in April 2026.
How the DraftKings credential stuffing attack worked
The hackers exploited a common vulnerability: password reuse. They obtained username and password combinations from previous, unrelated data breaches, then tested those credentials against DraftKings accounts. When users had recycled passwords, the attackers walked right in.
Once inside, the ring added payment methods they controlled to 1,600 accounts. They drained funds, then sold access to the remaining compromised accounts through online marketplaces. Austad ran his own shop, named after the Peanuts comic strip character, and also used other platforms to move stolen credentials.
According to the Department of Justice, Austad's cryptocurrency accounts received approximately $465,000 in assets. Prosecutors cited direct messages where Austad admitted to the fraudulent activity and warned co-conspirators to prepare.
Timeline of the DraftKings breach investigation
Why credential stuffing remains a persistent threat
The DraftKings breach wasn't sophisticated. It didn't require zero-day exploits or advanced persistent threat tactics. The attackers simply bet that a large percentage of users would reuse passwords, and they won that bet 60,000 times.
This attack pattern persists because the raw materials are cheap and abundant. Billions of credentials from past breaches circulate on dark web marketplaces. Automated tools test thousands of login combinations per minute. When a hit lands on a platform holding real money, like a sports betting site, the payoff is immediate.
DraftKings reportedly reimbursed affected customers for their losses. The company now encourages users to enable two-factor authentication and use unique passwords, standard advice that clearly wasn't universally followed before the breach.
What the sentencing signals for cybercrime enforcement
The 18-month sentences for Austad and Garrison, with Stokes drawing 30 months, suggest federal prosecutors are treating credential stuffing rings seriously but not necessarily as major cybercrime cases. These aren't life-altering sentences. For a 21-year-old who netted roughly $465,000 in cryptocurrency, the calculation might not seem entirely unfavorable.
The restitution orders are the sharper punishment. Austad owes nearly $1.8 million combined in forfeiture and restitution. That debt will follow him for years, assuming he can't pay it from seized assets. Whether that deters future attackers is an open question.
Logicity's Take
The real story here isn't the 18-month sentence. It's that three young Americans made hundreds of thousands of dollars by exploiting the most basic security failure: password reuse. Until platforms enforce mandatory two-factor authentication rather than merely encouraging it, and until users stop treating 'password123' as adequate, credential stuffing will remain profitable. The legal system can prosecute these cases, but it can't patch human behavior.
Frequently asked questions
Frequently Asked Questions
What is a credential stuffing attack?
Credential stuffing uses stolen username and password combinations from previous data breaches to attempt logins on other platforms. It exploits users who reuse passwords across multiple sites.
How many DraftKings accounts were compromised in the 2022 breach?
Approximately 60,000 accounts were compromised in the November 2022 credential stuffing attack, though DraftKings initially disclosed nearly 68,000 affected accounts.
Did DraftKings reimburse customers who lost money?
Yes, DraftKings reportedly reimbursed affected customers for funds stolen during the breach.
How can I protect my accounts from credential stuffing?
Use unique passwords for each account, enable two-factor authentication where available, and consider a password manager to generate and store complex credentials.
Who else was charged in the DraftKings hacking case?
Joseph Garrison and Kamerin Stokes ('TheMFNPlug') were also charged. Garrison received 18 months in January 2024, and Stokes received 30 months in April 2026.
Need Help Implementing This?
If your organization needs guidance on credential security, multi-factor authentication deployment, or breach response planning, contact Logicity's security advisory team for expert consultation.
Source: BleepingComputer
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
