DraftKings Credential Stuffing: Memphis Man Sentenced to 30 Months

The legal resolution of a massive sports betting security incident reached a milestone as 23-year-old Kamerin Stokes of Memphis, Tennessee, was sentenced to 30 months in federal prison. According to BleepingComputer, Stokes was a central figure in the distribution of access to approximately 60,000 compromised DraftKings accounts, facilitating a wave of fraud that resulted in hundreds of thousands of dollars in losses.

Stokes pleaded guilty to one count of conspiracy to commit computer intrusion. In addition to his prison term, he has been ordered to serve three years of supervised release and pay $574,866 in restitution. This sentencing highlights the growing legal consequences for individuals participating in the secondary markets that fuel account takeover (ATO) fraud.

Technical Analysis of the DraftKings Credential Stuffing Attack

The root cause of this incident was not a direct compromise of the organization’s server infrastructure, which is why no specific CVE was assigned. Instead, the incident was a textbook example of a high-volume credential stuffing attack. This TTP involves using automated software to attempt login combinations on a target site using lists of usernames and passwords harvested from previous data breaches on unrelated platforms.

In the DraftKings credential stuffing attack, which occurred around November 2022, attackers leveraged the fact that many users recycle passwords across multiple services. Once the automated scripts successfully identified a valid login, the account was flagged as “verified” and listed for sale on illicit marketplaces such as “Get-Sola.” These marketplaces provide a streamlined platform for low-skill threat actors to purchase validated accounts with linked credit cards or bank accounts.

Upon purchasing access from Stokes, other attackers performed Privilege Escalation of sorts within the application by changing the contact information and linked phone numbers, effectively locking the legitimate owners out. They then initiated unauthorized withdrawals, stealing approximately $635,000 from the user base. This workflow demonstrates how identity-based attacks bypass traditional perimeter defenses that focus on software vulnerabilities like RCE.

Credential stuffing mitigation steps for DraftKings and Financial Platforms

For security professionals and platform owners, the sentencing serves as a reminder of the persistent risk of automated identity attacks. Understanding how to prevent credential stuffing in online gaming and financial services requires a multi-layered approach to identity and access management. Because these attacks rely on automation, defenders should prioritize the following:

• Mandatory Multi-Factor Authentication (MFA): The 2022 incident was largely successful because many targeted accounts lacked MFA. Implementing a Zero Trust architecture where every login attempt is verified via a secondary out-of-band factor is the most effective deterrent against credential stuffing.
• Bot Detection and Rate Limiting: Organizations must deploy Web Application Firewalls (WAF) or bot management solutions capable of identifying the signature of automated login attempts. Analyzing request headers, IP reputation, and login velocity can help a SOC identify an ongoing attack in real-time.
• Leaked Credential Monitoring: Proactively checking user credentials against known breach databases can allow companies to force password resets before an attacker can exploit the data.
• Anomalous Behavioral Analytics: Utilizing a SIEM to monitor for sudden changes in account behavior—such as a login from a new geography followed immediately by a change in banking details—can trigger automated account freezes to prevent theft.

While this case did not involve sophisticated Phishing or nation-state APT activity, the scale of the financial damage underscores why identity remains the most vulnerable layer of the modern attack surface.