The final chapter in the 2022 DraftKings hack has closed. Nathan Austad, a Minnesota man who operated online under the alias "Snoopy," has been sentenced for his role in the credential stuffing attack that compromised accounts on the popular sports betting platform — becoming the third and final defendant sentenced in connection with the breach.
Background: The 2022 DraftKings Breach
In November 2022, DraftKings disclosed that attackers had used credential stuffing — a technique that automates login attempts using lists of previously breached username and password combinations — to compromise approximately 67,000 customer accounts. Victims lost a combined estimated $300,000 as attackers drained withdrawable funds from their betting accounts.
The attack exploited a fundamental weakness: customers who reused passwords from other breached services were vulnerable even though DraftKings' own systems were not directly compromised.
Austad's Role: The Storefront Operator
Austad's role in the scheme was as a criminal marketplace operator. Rather than conducting the credential stuffing attacks himself, Austad sold access to the compromised DraftKings accounts through an underground storefront — essentially acting as a broker between attackers who obtained the credentials and buyers looking to drain accounts.
This middleman model is increasingly common in cybercrime ecosystems, where attackers specialize in specific parts of an attack chain:
- Credential harvesters — obtain lists of breached credentials
- Stuffers — run automated tools to test credentials against platforms
- Storefront operators (Austad's role) — sell verified working accounts
- Cashers — withdraw or transfer funds from compromised accounts
The Full Defendant Picture
Austad is the third and final defendant sentenced in the DraftKings case. The prosecution of all three defendants represents a relatively complete enforcement action for a credential stuffing case — many such crimes go unprosecuted due to the difficulty of attribution and cross-jurisdictional complications.
Credential Stuffing: A Persistent Threat
The DraftKings case highlights why credential stuffing remains one of the most prevalent attack vectors against consumer platforms:
- Billions of credential pairs from historical breaches circulate freely on criminal forums
- Automation tools make it cheap and easy to test credentials at scale
- Many users continue to reuse passwords across multiple services
- Sports betting and gaming platforms are particularly attractive targets due to the presence of withdrawable funds
Protecting Yourself Against Credential Stuffing
The DraftKings breach is a reminder that your account on one platform can be compromised even when that platform's security is sound — if you're reusing a password that was leaked elsewhere.
Steps to take:
- Use a password manager — generate a unique, random password for every service
- Enable multi-factor authentication wherever available, especially on financial and gaming accounts
- Check Have I Been Pwned (haveibeenpwned.com) to see if your email addresses appear in known breaches
- Monitor your DraftKings (and other platform) account activity for unauthorized withdrawals or suspicious logins
- Enable login notifications so you're alerted to new device access
Platform-Side Defenses
For operators of consumer platforms with financial functionality, the DraftKings case offers a clear playbook for detection and prevention:
- Implement rate limiting and CAPTCHA on login endpoints
- Deploy behavioral analytics to detect automated login patterns
- Require re-authentication for fund withdrawals, even for logged-in sessions
- Use leaked credential databases to proactively identify and lock compromised accounts
- Enforce MFA as the default, not opt-in
The sentencing of all three defendants in the DraftKings case demonstrates that law enforcement is willing and able to pursue the full criminal ecosystem behind credential stuffing attacks — not just the direct attackers.