A guilty plea has been entered by a Minnesota man accused of participating in a large-scale cyber-attack against a fantasy sports and betting platform, according to US prosecutors.
The case involves a credential stuffing scheme that led to the compromise of tens of thousands of user accounts and significant financial losses for affected customers.
Nathan Austad, 21, of Farmington, Minnesota (also known online as “Snoopy”), admitted in court last Friday to conspiring to commit computer intrusion.
He is the third individual to plead guilty in connection with the hacking campaign. Prosecutors said Austad and his co-conspirators targeted a betting website in November 2022, using stolen login credentials to gain unauthorized access to user accounts.
Court documents show that more than 60,000 accounts were successfully compromised. In many cases, the attackers added new payment methods under their control and drained existing balances.
Roughly $600,000 was stolen from approximately 1600 victims through this process. Access to the hijacked accounts was also sold on online marketplaces specializing in trafficking compromised accounts.
The attack relied on credential stuffing, a technique that uses username and password pairs obtained from previous data breaches. Those credentials were systematically tested against the betting website in the hope that users had reused the same login details. Once access was gained, the accounts were either emptied or sold to third parties.
Prosecutors said Austad operated one such online shop himself and controlled cryptocurrency accounts that received about $465,000 in digital assets, including proceeds linked to the scheme.
Investigators also uncovered messages in which Austad discussed awareness of an active investigation. In one exchange, he commented that participants should have anticipated law enforcement scrutiny, while another message acknowledged the criminal nature of the activity.
Read more on credential stuffing attacks: Aussie Pension Savers Hit with Wave of Credential Stuffing Attacks
Although the affected betting platform was not named in the court filings, the facts align with a November 2022 announcement by DraftKings that around 68,000 user accounts had been compromised in a credential stuffing incident.
Two other individuals tied to that breach, Joseph Garrison and Kamerin Stokes, have already pleaded guilty. Garrison was sentenced to 18 months in prison in early 2024, while Stokes entered his plea in April 2024.
Austad faces a maximum sentence of five years in prison. His sentencing hearing is scheduled for April 10 2026.
