Kamerin Stokes, a 23-year-old from Memphis, Tennessee, has been sentenced to 30 months in prison for his involvement in a credential stuffing attack on DraftKings, an online betting platform.
In addition to his prison sentence, Stokes will serve three years of supervised release. He has also been ordered to pay $125,000 in forfeiture and $1.3 million in restitution as a result of his actions during the attack.
The credential stuffing attack occurred in 2022 and involved hackers accessing approximately 60,000 accounts by using username-password combinations obtained from previous data breaches. Stokes aimed to withdraw funds from these compromised accounts.
The Department of Justice (DoJ) did not specifically name DraftKings in their statements, instead referring to it as a fantasy sports and betting website that was targeted during the attack.
Stokes operated under the online alias āTheMFNPlugā and was involved in acquiring DraftKings accounts in bulk, which he then sold through an online marketplace that he controlled. Following his guilty plea, the Justice Department reported that Stokes reopened his online shop, where he continued to offer access to accounts at various other retailers.
According to the DoJ, Stokes was brazen in his operations, advertising his reopened shop with the tagline āfraud is fun,ā and claiming to have been running such shops for three years. He acknowledged the need for income, stating, āgotta pay my attorneys,ā in reference to his ongoing legal battle related to this case.
Stokes is not the only individual facing consequences for this scheme; two others have been charged in connection with the same credential stuffing attack. Joseph Garrison pleaded guilty in November 2023 and was sentenced to 18 months in prison in February 2024. Nathan Austad, who also participated in the attack and subsequent sale of account access, pleaded guilty in December 2025 and is awaiting sentencing.
Both Garrison and Austad collaborated with Stokes on the credential stuffing attack, which has continued to pose a threat to DraftKings. The company issued a warning to users about ongoing credential stuffing attempts in October 2025, highlighting the persistent nature of these cyber threats.
This case illustrates the serious repercussions of cybercrime and the ongoing efforts by law enforcement to combat such activities in the digital space.
Source: SecurityWeek News