Third DraftKings hacker gets 18 months in prison for a 2022 credential-stuffing attack that compromised 1,600 accounts and stole $600,000.Nathan Austad, the third person sentenced over the 2022 DraftKings credential-stuffing attack, received 18 months in prison. The group used usernames and passwords stolen from other breaches to access about 1,600 accounts and steal roughly $600,000. Austad also ran a website selling compromised accounts. Austad must pay about $1.8 million in restitution and forfeiture and faces three years of supervised release.“On or about November 18, 2022, AUSTAD and others launched a “credential stuffing attack” on the Betting Website. During a credential stuffing attack, a cyber threat actor collects stolen credentials, or username and password pairs, obtained from other large-scale data breaches of other companies, which can often be purchased on the darkweb. The threat actor then systematically attempts to use those stolen credentials to obtain unauthorized access to accounts held by the same user with other companies and providers, in order to compromise accounts where the user has maintained the same password.” read the charging documents and other filings and statements made in court. “Here, in connection with the attack on the Betting Website, AUSTAD and his coconspirators made a series of attempts to log into the Betting Website user accounts using a large list of stolen credentials.”Nathan Austad and his accomplices used a credential-stuffing attack to compromise around 60,000 accounts on a betting platform. In roughly 1,600 cases, they added their own payment methods to victim accounts and withdrew available funds, stealing about $600,000. The group also sold access to compromised accounts through online marketplaces known as “shops.” Austad operated his own shop, branded with the name “Snoopy,” where stolen accounts were offered for sale. Court documents show he was aware of the criminal risks and discussed the FBI investigation with accomplices, acknowledging they were committing fraud. Investigators also linked him to cryptocurrency wallets that received about $465,000, including proceeds from the scheme.Nathan Austad is the third person sentenced in the investigation into the DraftKings credential-stuffing scheme. Earlier, Joseph Garrison received 18 months in prison, while Kamerin Stokes, known as “TheMFNPlug,” was sentenced to 30 months. Austad, 21, was sentenced to 18 months in prison, followed by three years of supervised release, and ordered to pay nearly $1.8 million in forfeiture and restitution.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, DoJ)