Man Gets 30 Months for Selling Thousands of Hacked DraftKings Accounts

The federal case against 23‑year‑old Kamerin Stokes underscores how credential‑stuffing attacks have migrated from traditional e‑commerce to the high‑stakes world of online sports betting. In November 2022, a breach of nearly 68,000 DraftKings accounts enabled a criminal network to siphon roughly $635,000 from 1,600 victims and generate more than $2.1 million by selling access to the compromised credentials. DraftKings was forced to reimburse hundreds of thousands of dollars, exposing the financial vulnerability of platforms that rely on password‑only authentication.

Stokes’ operation illustrates the rise of fraud‑as‑a‑service, where hackers monetize stolen login data through online ‘shops’ that market ready‑to‑use accounts to other criminals. By re‑opening his storefront after an initial arrest and branding it ‘fraud is fun,’ he demonstrated the low barrier to entry and the profit motive driving a new generation of cyber‑criminals. Law‑enforcement agencies are increasingly targeting these intermediaries, recognizing that disrupting the resale market can curb downstream theft across multiple sectors, from betting sites to fast‑food loyalty programs.

The sentencing—30 months in prison, three years of supervised release, $1.33 million in restitution and $126 k in forfeiture—signals a tougher stance on cyber‑fraud that directly harms consumers. For the betting industry, the case is a catalyst for adopting multi‑factor authentication, real‑time transaction monitoring, and stricter KYC protocols. As regulators push for stronger consumer protections, operators that invest in robust security frameworks are likely to retain trust and avoid costly refunds, while criminals face heightened risk of severe federal penalties.