DraftKings Credential Seller Sentenced to Prison for Continued Fraud

Executive Summary

Kamerin Stokes, a 23-year-old from Memphis, Tennessee, has been sentenced to time served and three years of supervised release for his role in selling stolen DraftKings user credentials. According to court documents, Stokes continued to sell compromised accounts on an online marketplace even after pleading guilty to conspiracy to commit computer intrusion in November 2022, demonstrating ongoing criminal activity post-conviction.

Technical Analysis

The underlying attack was a large-scale credential stuffing campaign against DraftKings and FanDuel in November 2022. Threat actors used credentials obtained from previous, unrelated data breaches to attempt logins on the sports betting platforms. The technique relies on users reusing passwords across multiple services. While DraftKings initially stated the attack did not involve a breach of its own systems, the incident resulted in the theft of approximately $600,000 from user accounts. Stokes's specific technical role in the initial attack is not detailed in the available source, but his subsequent criminal activity involved the sale of these compromised credentials.

Tactics, Techniques & Procedures

The primary TTP associated with the original incident is Credential Stuffing (T1110.004), where attackers automate login attempts using known username/password pairs. Stokes's later activities involved Fraudulent Sale of Data (T1588.002), specifically the monetization of access to compromised accounts through an online marketplace. His actions after pleading guilty also indicate a pattern of Defiance of Judicial Process, continuing illicit sales while under the court's jurisdiction.

Threat Actor Context

Stokes was one of several individuals charged in connection with the 2022 DraftKings attack. His co-defendant, Joseph Garrison, was sentenced to 18 months in prison in March 2025. The sentencing memorandum filed by prosecutors argued that Stokes's continued criminal conduct after his guilty plea warranted a custodial sentence, though the judge ultimately imposed time served. This case highlights the challenge of deterring cybercrime even after legal proceedings have begun, as actors may continue operations from the same infrastructure or networks.

Mitigations & Recommendations

Organizations, particularly those in the online gambling and financial services sectors, should implement robust defenses against credential stuffing. This includes:

• Enforcing multi-factor authentication (MFA) for all user accounts.
• Deploying bot detection and rate-limiting solutions to identify and block automated login attempts.
• Monitoring for credential dumps on dark web markets and integrating compromised password databases into threat intelligence feeds to proactively force password resets.
• Educating users on the critical importance of using unique, strong passwords for each online service. For law enforcement and judicial systems, this case suggests a need for closer monitoring of defendants' online activities post-indictment or plea to prevent continued harm.