Suspect pleads guilty to credential stuffing attack on DraftKings
A 21-year-old man from Farmington, Minnesota, has pleaded guilty to orchestrating a credential stuffing attack on the sports and betting website DraftKings. He now risks a prison sentence of up to five years.
In November 2022, the man, also known as “Snoopy,” and his co-conspirators launched a credential stuffing attack on DraftKings.
A credential stuffing attack is an attack in which hackers use illegally obtained login credentials from large-scale data breaches of other companies to log in to various online services.
Attackers systematically check whether they can log in to a website by using login details from another website. However, this attack method only works if people reuse the same password for multiple online accounts, and if companies allow such automated attacks.
The lead suspect and his co-conspirators made a series of attempts to log into thousands of user accounts using a large list of stolen credentials.
They managed to compromise approximately 60,000 user accounts. Next, they added a new payment method of their own to the accounts and then used it to withdraw all funds from the victims’ accounts to their own.
The attackers stole around $600,000 from approximately 1,600 victims on DraftKings’ website. Access to the affected users’ accounts was also sold on various websites. The suspect directly profited from this. He also controlled cryptocurrency accounts worth $465,000.
Earlier this month, the man pleaded guilty to conspiring to commit computer intrusion, which carries a maximum sentence of five years in prison.
“Today’s guilty plea shows our Office’s commitment to holding cybercriminals who hack and steal from our citizens to account. Let this be a warning: hackers and cybercriminals who target New Yorkers will be brought to justice,” US Attorney Jay Clayton said in a statement.
District Judge Abrams will impose a sentence on April 10th, 2026.
Unlock more exclusive Cybernews content on YouTube.
