DraftKings Credential-Stuffing Attack Results in 30-Month Prison Sentence
Executive Summary
In November 2022, DraftKings, a prominent sports betting platform, experienced a credential-stuffing attack that compromised nearly 68,000 user accounts. Attackers utilized previously stolen credentials to gain unauthorized access, leading to the theft of approximately $635,000 from around 1,600 accounts. The perpetrators, including Nathan Austad and Joseph Garrison, sold access to these accounts, with accomplice Kamerin Stokes reselling them through his own platform. Stokes, known online as 'TheMFNPlug,' continued his illicit activities even after initial legal actions, reopening his shop with the tagline 'fraud is fun.'
This incident underscores the persistent threat of credential-stuffing attacks, especially in industries handling sensitive financial information. The case highlights the importance of robust cybersecurity measures and the need for users to employ unique, strong passwords across different platforms to mitigate such risks.
Why This Matters Now
The sentencing of individuals involved in the DraftKings credential-stuffing attack serves as a critical reminder of the ongoing vulnerabilities in online platforms. As cybercriminals continue to exploit reused credentials, organizations must prioritize implementing advanced security protocols, and users should adopt stringent password practices to safeguard against such breaches.
Attack Path Analysis
In November 2022, attackers utilized previously breached credentials to perform a credential stuffing attack against DraftKings accounts, leading to unauthorized access and financial theft. Once access was gained, attackers escalated privileges by changing account settings, including passwords and enabling two-factor authentication linked to their own devices. With control over the accounts, they moved laterally to exploit linked financial instruments, adding new payment methods and verifying them with small deposits. The attackers established command and control by maintaining persistent access through the modified account settings. They then exfiltrated funds by withdrawing as much money as possible from the victims' linked bank accounts. The impact was significant, with approximately $300,000 stolen from around 1,600 compromised accounts.
Kill Chain Progression
Initial Compromise
Description
Attackers used previously breached credentials to perform a credential stuffing attack against DraftKings accounts, gaining unauthorized access.
MITRE ATT&CK® Techniques
Credential Stuffing
Valid Accounts
Account Discovery: Domain Account
Phishing: Spearphishing Attachment
Application Layer Protocol: Web Protocols
Remote Services: Remote Desktop Protocol
OS Credential Dumping: LSASS Memory
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-Factor Authentication
Control ID: 8.3.6
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – User Authentication and Authorization
Control ID: Identity and Access Management
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Gambling/Casinos
DraftKings credential stuffing attack demonstrates direct vulnerability to account takeovers, fund theft, and massive customer restitution costs requiring enhanced authentication controls.
Financial Services
Credential stuffing attacks expose payment processing vulnerabilities, requiring zero trust segmentation and egress security to prevent unauthorized fund withdrawals and transfers.
Computer Software/Engineering
Multi-platform credential reuse attacks highlight need for encrypted traffic monitoring, anomaly detection, and secure API implementations across SaaS betting platforms.
Restaurants
Chick-fil-A account compromises in same operation show restaurant loyalty programs face similar credential stuffing risks requiring enhanced customer data protection measures.
Sources
- Man gets 30 months for selling thousands of hacked DraftKings accountshttps://www.bleepingcomputer.com/news/security/man-gets-30-months-for-selling-thousands-of-hacked-draftkings-accounts/Verified
- DraftKings reveals thousands of customer accounts hit by cyberattackhttps://www.techradar.com/news/draftkings-reveals-thousands-of-customer-accounts-hit-by-cyberattackVerified
- DraftKings says no evidence systems were breached following report of a hackhttps://www.cnbc.com/2022/11/21/draftkings-says-no-evidence-systems-were-breached-following-report-of-a-hack.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attackers' ability to exploit compromised credentials and perform unauthorized actions within the cloud environment. By implementing identity-aware controls and dynamic segmentation, CNSF would likely have limited the attackers' lateral movement and reduced the overall blast radius of the breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attackers' ability to exploit compromised credentials would likely have been constrained, reducing unauthorized access to cloud resources.
Control: Zero Trust Segmentation
Mitigation: The attackers' ability to escalate privileges by modifying account settings would likely have been constrained, limiting unauthorized changes.
Control: East-West Traffic Security
Mitigation: The attackers' ability to move laterally and exploit linked financial instruments would likely have been constrained, reducing unauthorized financial activities.
Control: Multicloud Visibility & Control
Mitigation: The attackers' ability to maintain persistent access would likely have been constrained, limiting their control over compromised accounts.
Control: Egress Security & Policy Enforcement
Mitigation: The attackers' ability to exfiltrate funds would likely have been constrained, reducing unauthorized financial withdrawals.
The financial impact of the breach would likely have been reduced, limiting the extent of monetary losses.
Impact at a Glance
Affected Business Functions
- User Account Management
- Financial Transactions
- Customer Support
Estimated downtime: 7 days
Estimated loss: $635,000
Personal information of approximately 68,000 customers, including names, addresses, phone numbers, email addresses, and partial payment card details.
Recommended Actions
Key Takeaways & Next Steps
- • Implement multi-factor authentication (MFA) across all user accounts to prevent unauthorized access.
- • Enforce strong, unique password policies and educate users on the risks of credential reuse.
- • Deploy anomaly detection systems to identify and respond to unusual account activities promptly.
- • Utilize zero trust segmentation to limit lateral movement within the network.
- • Establish robust egress security and policy enforcement to monitor and control outbound traffic.
