Kamerin Stokes, a 23-year-old from Memphis, Tennessee, has been sentenced to prison for his involvement in a credential stuffing attack that targeted the online betting platform DraftKings in 2022. This cyber attack compromised thousands of accounts, leading to significant financial losses.
Details of the Cyber Attack and Sentencing
Stokes received a 30-month prison sentence, followed by three years of supervised release. Additionally, he has been mandated to forfeit $125,000 and pay $1.3 million in restitution. The attack involved hackers exploiting around 60,000 accounts using stolen credentials from previous data breaches with the intention of withdrawing funds from these accounts.
Justice Department’s Findings
The Department of Justice, while not naming DraftKings directly, described the victim as a fantasy sports and betting website. Stokes, known online as ‘TheMFNPlug’, acquired and sold access to compromised DraftKings accounts through his own online marketplace. Despite pleading guilty, he resumed his illegal activities, advertising his new operation with the phrase “fraud is fun.”
According to the Justice Department, Stokes continued to sell access to various retail accounts, citing legal expenses as a reason for reopening his shop.
Additional Arrests and Ongoing Threats
Two other individuals, Joseph Garrison and Nathan Austad, have also been charged for their roles in the scheme. Garrison admitted guilt in November 2023 and was sentenced to 18 months in prison by February 2024. Austad pled guilty in December 2025 and is awaiting sentencing.
The incidents reflect an ongoing threat to DraftKings, which continues to face credential stuffing attacks. In October 2025, the company issued a warning to its users, emphasizing the need for vigilance and secure account management.
The broader implications of such cybercrimes highlight the persistent challenges faced by online platforms in safeguarding user data and maintaining trust.
