NATHAN Austad has been sentenced to 18 months in prison for his role in a credential‑stuffing scheme that targeted DraftKings, a fantasy sports and betting platform, resulting in the theft of roughly $600 000 from about 60 000 user accounts according to reports. He pleaded guilty to conspiracy to commit computer intrusion in December 2025, admitting his participation in the scheme.
The attack relied on credential stuffing, where attackers used username and password pairs harvested from earlier data breaches to gain unauthorised access to DraftKings accounts as detailed by security researchers. By reusing leaked credentials, the group was able to compromise tens of thousands of accounts without needing to exploit any software vulnerability.
Besides the direct theft, the group managed cryptocurrency wallets that held around $465 000 in illicit proceeds. Courts have ordered the defendants to pay approximately $1.8 million in restitution and forfeiture. Three individuals in total have now received prison sentences for their involvement in the DraftKings intrusion.
The case was pursued by the DOJ and FBI, who noted that the defendants had underestimated the ability of federal investigators to intervene despite being aware of the ongoing probe. Authorities have stated that the suspects believed they could avoid detection, but the investigation successfully traced the illicit funds to cryptocurrency addresses.
Organisations should monitor login attempts for abnormal spikes, enforce multi‑factor authentication and encourage users to adopt unique, strong passwords that are not reused across services. Implementing rate limiting on authentication endpoints can throttle automated credential‑stuffing attempts before they succeed.
Deploying anomaly‑detection tools and regularly screening credentials against known breach databases adds another layer of defence. Educating customers about the risks of credential reuse and prompting them to update passwords after a breach notice further reduces the likelihood of account takeover.