DraftKings initially told the public hackers stole less than $300,000 from its customers. The actual figure was $600,000, pulled from 1,600 accounts after 60,000 user accounts were compromised in a credential stuffing attack.
Nathan Austad, 21, using the alias "Snoopy," was sentenced to 18 months in federal prison on June 24, 2026. He pleaded guilty in December 2025 to conspiracy to commit computer intrusion. His cryptocurrency wallets received roughly $465,000 from selling access to stolen accounts through his own shop, named after the Peanuts character.
How 60,000 Accounts Fell in a Single Attack
Austad and his co-conspirators didn't break DraftKings' authentication system. They exploited weak and reused passwords from other breaches, a textbook credential stuffing campaign. DraftKings confirmed the attack in November 2022, initially saying only 67,995 accounts were compromised and less than $300,000 stolen. The final tally: 60,000 accounts breached, $600,000 in direct theft, plus additional revenue from selling account access on marketplaces like the "Goat Shop."
The U.S. Department of Justice unsealed charges against Joseph Garrison in May 2023, then added Kamerin Stokes ("TheMFNPlug") and Austad in January 2024. Garrison got 18 months. Stokes got 30 months in April 2026. Austad got the same sentence as Garrison, plus three years supervised release, $463,684 in forfeiture, and $1,327,061 in restitution.
Credential Stuffing Remains the Unfixed Tax on User Laziness
60,000 accounts compromised because users reused passwords. DraftKings added no meaningful friction. The attackers didn't need phishing or malware. They just sprayed stolen credential lists until they hit accounts with weak or reused login info.
Austad's operation was blatant. He admitted in direct messages to co-conspirators that he was perpetrating fraud and warned others to prepare. The DOJ noted his crypto receipts totaled around $465,000, though the full scheme generated far more for the group. The forfeiture and restitution orders aim to claw back some of that.
What This Means for Your Own Infrastructure
If you run any platform with money attached, assume credential stuffing is your highest-probability attack. DraftKings learned that lesson the hard way. The attackers didn't break encryption or find zero-days. They exploited the oldest vulnerability in the book: human password habits. Multi-factor authentication, device fingerprinting, and rate limiting on login endpoints would have stopped most of it. DraftKings rolled out MFA after the breach, but it should have been mandatory from day one.
Austad's 18 months won't deter the next 21-year-old with a credential list and a cryptocurrency wallet. The only mitigation is engineering systems that don't trust users to pick good passwords.
Source: DraftKings hacker 'Snoopy' sentenced to 18 months in prison
Domain: bleepingcomputer.com
Comments load interactively on the live page.