Cybercriminals accused of stealing $600,000 from betting and fantasy sports sites

Two more men have been charged with hacking an unnamed fantasy sports and sports betting website following an investigation conducted by the FBI and the Southern District of New York Attorney’s office.

Nathan Austad from Minnesota and Kamerin Stokes of Tennessee have been accused of hacking user accounts and selling them on selling access to them for thousands of dollars on the dark web.

The charges against the pair consist of conspiracy to commit computer intrusions, unauthorized access to a protected computer to further intended fraud, wire fraud, aggravated identity theft, and unauthorized access to a protected computer.

If found guilty of all counts, the maximum sentence is up to 57 years in prison.

Stokes, Austad and a third man, Joseph Garrison, are alleged to have stolen $600,000 from around 1,600 accounts.

Garrison, who was previously arrested in connection with the hack for “conspiracy to commit computer intrusion”, pled guilty to the charge on November 15, 2023, and is due to be sentenced on February 1, 2024.

The three men planned and launched a “credential stuffing attack” on or around November 18, 2022, whereby cybercriminals get hold of stolen credentials such as usernames and passwords obtained from other large-scale data breaches of other companies which can then be bought and sold on the dark web.

Once purchased, the stolen data is then used by criminals to gain unauthorized access to other online accounts where the customer has used the same username and password.

In this case, Austad and Stokes, with help from Garrison, successfully accessed approximately 60,000 accounts on the betting site. They were able to add a new payment method to separate accounts, deposit $5 to verify the new method, and then withdraw existing funds through the payment method to their own financial account.

Access to some customer accounts was then illegally sold on various websites that traffic in stolen accounts, known colloquially as ‘shops’. Two shops were directly controlled by Austad and Garrison, with the former’s shop named after the comic strip character Snoopy.

Stokes was charged with a purchasing a bulk order from Garrison, with the intent to sell on from his own shop. It is alleged they held a total listed account value of over $125,000.

Stokes posted photos on Instagram where he publicly advertised the stolen accounts on the now redacted betting website along with the caption: “40k value in accounts all valid and all can be cashed out with method in description. Don’t settle for 25% tax on Cashapp – settle for 25% off crypto though.”

Sometime around May 19, 2023, Austad is believed to have messaged a co-conspirator about the investigation, writing: “Like we I know the risk when we started lol . . . everyone knows their committing fraud.”

Months earlier, around December 2, 2022, he made a similar comment about the FBI investigation when he said: “Everyone 3hould’ve been prepared for this before cashing out lol.”  

Austad also controlled cryptocurrency accounts to the value of approximately $465,000, thought to be proceeds from the credential stuffing attacks and the sale of stolen accounts.

US Attorney for the Southern District of New York, Damian Williams, praised the investigation and warned cybercriminals to come forward before they are caught.

Williams said: “As alleged, Nathan Austad and Kamerin Stokes were involved a scheme to hack into the accounts of tens of thousands of victims and then to sell access to those stolen accounts online. 

“Our office is relentless in tracking down the perpetrators of cybercrime. Earlier this month, we announced an SDNY Whistleblower Pilot Program to encourage early and voluntary self-disclosure of criminal activity. To all cybercriminals: call us before we call you.”

James Smith, FBI assistant director in charge of the New York Field Office, remarked on the rise of dexterity in cybercrime and alerted people to the risk for businesses.

“Cyberattacks are growing increasingly more sophisticated, targeting all manner of businesses and posing a great risk to economic security,” he said.  

“Nathan Austad and Kamerin Stokes were allegedly part of a cyber intrusion that resulted in hundreds of thousands of dollars being stolen from victims’ accounts. 

“As these defendants found out, if you conduct a cyberattack for profit, you can bet the FBI can and will bring you to justice.”

The hack of the unnamed betting site comes a matter of months after Caesars Entertainment and MGM Resorts were attacked.