Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

DraftKings hacker sentenced to prison, ordered to pay $1.4 Million

A DraftKings hacker got 30 months in prison for selling stolen credentials and must pay over $1.4 million in fines and restitution. Kamerin Stokes, 23, from Memphis (aka TheMFNPlug), received a 30-month prison sentence for his role in a 2022 credential stuffing attack against DraftKings. He continued selling stolen login data online even after pleading […]

Scattered Spider DOJ

A DraftKings hacker got 30 months in prison for selling stolen credentials and must pay over $1.4 million in fines and restitution.

Kamerin Stokes, 23, from Memphis (aka TheMFNPlug), received a 30-month prison sentence for his role in a 2022 credential stuffing attack against DraftKings. He continued selling stolen login data online even after pleading guilty. The court also ordered three years of supervised release, $125,000 in forfeiture, and $1.3 million in restitution, highlighting the financial impact of the breach and the consequences of ongoing cybercrime activity.

“United States Attorney for the Southern District of New York, Jay Clayton, announced today that KAMERIN STOKES, a/k/a “TheMFNPlug,” was sentenced to 30 months in prison for his role in a scheme to hack user accounts on a fantasy sports and betting website (the “Betting Website”) and sell access to those accounts, resulting in losses of hundreds of thousands of dollars to the users.  STOKES was sentenced today before U.S. District Judge Naomi Reice Buchwald.” reads the press release published by DoJ.

In November 2022, attackers carried out a credential stuffing attack against DraftKings using large sets of stolen usernames and passwords bought on the dark web. They tested these credentials across accounts, targeting users who reused the same login details. The attackers managed to access around 60,000 accounts. In some cases, they added new payment methods, deposited small amounts to verify them, and then withdrew the full balance to accounts they controlled. This allowed them to steal funds directly from victims, showing how dangerous password reuse can be and how easily attackers can exploit compromised credentials at scale.

The man sold access to stolen DraftKings accounts through his own online shop under the alias “TheMFNPlug,” handling accounts worth over $125,000. Even after pleading guilty, he reopened the shop, selling stolen accounts from various platforms and promoting it with the slogan “fraud is fun.” He admitted running such operations for years and said he needed money for legal fees. Authorities arrested him again for violating release conditions and placed him back in custody.

“In addition to the prison term, STOKES, 23, of Memphis, Tennessee, was sentenced to three years of supervised release and ordered to pay $125,965.53 in forfeiture and $1,327,061 in restitution.” concludes DoJ. “Mr. Clayton praised the outstanding work of the Federal Bureau of Investigation.” 

In November 2022, DraftKings announced that approximately 68,000 accounts had been compromised in another credential stuffing attack.

In November 2023, US teenager Joseph Garrison pleaded guilty to his involvement in the credential stuffing attack. In January 2024, Garrison was sentenced to 18 months in prison.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)