Credential Stuffing to Prison: How a 21-Year-Old Hacker Breached 60,000 Betting Accounts and What It Teaches Us About Password Reuse + Video

By /

Listen to this Post

Featured Image

Introduction

In November 2022, a 21-year-old Minnesota man operating under the online alias “Snoopy” launched a credential stuffing attack against a major fantasy sports and betting platform, successfully compromising approximately 60,000 user accounts. Nathan Austad and his co-conspirators added payment methods under their control to 1,600 accounts and stole roughly $600,000, later selling access to the remaining compromised accounts through cybercriminal marketplaces. On June 23, 2026, Austad was sentenced to 18 months in federal prison, three years of supervised release, and ordered to pay $463,684 in forfeiture and $1,327,061 in restitution—a stark reminder that credential reuse remains one of the most dangerous yet preventable vulnerabilities in modern cybersecurity.

Learning Objectives

  • Understand the mechanics of credential stuffing attacks and how attackers leverage breached credentials from unrelated data breaches
  • Learn to implement technical defenses including rate limiting, breached password screening, and adaptive authentication
  • Master monitoring techniques to detect account takeover indicators including unusual payment method changes and withdrawal patterns
  • Explore the criminal marketplace ecosystem where compromised accounts are bought and sold

You Should Know

  1. Understanding Credential Stuffing: The Attack That Never Sleeps

Credential stuffing is a cyberattack technique where threat actors collect stolen username-password pairs obtained from previous large-scale data breaches of other companies—often purchased on the darkweb—and systematically attempt to use those same credentials to gain unauthorized access to accounts on other platforms. Unlike brute-force attacks that guess passwords randomly, credential stuffing exploits the widespread human tendency to reuse the same password across multiple services.

In the DraftKings case, Austad and his co-conspirators acquired a large list of stolen credentials from prior breaches and launched a series of automated login attempts against the betting website’s user accounts. The attack succeeded because thousands of users had maintained the same password on the betting platform that they had used on other compromised websites.

How to test your own exposure:

  • Linux/macOS: Use `haveibeenpwned.com` API to check if your email appears in known breaches: 
    curl -s "https://haveibeenpwned.com/api/v3/breachedaccount/[email protected]" -H "hibp-api-key: YOUR_API_KEY"
  • Windows (PowerShell): 
    Invoke-RestMethod -Uri "https://haveibeenpwned.com/api/v3/breachedaccount/[email protected]" -Headers @{"hibp-api-key"="YOUR_API_KEY"}

Defensive Measures Against Credential Stuffing:

Organizations must implement a multi-layered defense strategy:

  1. Rate Limiting: Restrict the number of login attempts from a single IP address within a time window. For Nginx: 
    limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
limit_req zone=login burst=10 nodelay;

  2. Breached Password Screening: Reject passwords that appear in known breach databases. Implement the Have I Been Pwned API’s k-Anonymity model:

    Check if a password hash prefix appears in breaches
curl -s "https://api.pwnedpasswords.com/range/{SHA1_PREFIX}"

  3. CAPTCHA Deployment: Force CAPTCHA challenges after failed login attempts to distinguish bots from humans.

  4. Device Fingerprinting: Track device identifiers and flag logins from unrecognized devices.

  5. The Criminal Marketplace: How Stolen Accounts Become Cash

Access to the compromised DraftKings accounts was sold on various websites that traffic in stolen accounts, commonly referred to as “Shops”. Austad directly controlled and profited from his own shop, which he named after the Peanuts comic strip character Snoopy. This shop operated as a commercial storefront where cybercriminals could purchase access to compromised accounts, complete with available balances and payment methods.

The economics of this operation reveal a sophisticated criminal business model. Austad controlled cryptocurrency accounts that received approximately $465,000 worth of assets, including proceeds from the scheme. The group’s total theft amounted to about $600,000 from 1,600 victim accounts, with the remaining compromised accounts generating additional revenue through access sales.

Monitoring for Account Takeover Indicators:

Security teams should implement real-time monitoring for the following suspicious activities:

  • Payment Method Changes: Alert when a new payment method is added to an account, especially if followed by immediate withdrawal attempts.
  • Unusual Withdrawal Behavior: Flag withdrawals that deviate from a user’s historical patterns.
  • Device and Location Changes: Monitor for logins from new devices or geographic locations inconsistent with user history.
  • Bulk Login Attempts: Detect IP addresses or user agents making repeated login attempts across multiple accounts.

SIEM Query Example (Splunk):

index=authentication sourcetype=login_events
| stats count by src_ip, user_agent, user
| where count > 5
| lookup geoip src_ip
| table src_ip, geoip_country, user_agent, user, count
  1. The Legal and Financial Consequences: When Hubris Meets Justice

The case against Austad was built on compelling digital evidence, including private messages exchanged with co-conspirators. In December 2022, Austad messaged: “everyone shouldve been prepared for this before cashing out lol,” to which a co-conspirator replied, “lol fbi can’t do shit”. Months later, in May 2023, Austad wrote: “like we didnt know the risk when we started lol . . . everyone knows their committing fraud”.

U.S. Attorney Jay Clayton highlighted this arrogance in his statement: “The defendants acknowledged the federal investigation into their conduct while they were committing their crimes, even having the hubris to say the FBI could not do anything about it. They were wrong”.

Austad is the third defendant sentenced in this case. Joseph Garrison received 18 months in prison in January 2024, and Kamerin Stokes, known as “TheMFNPlug,” received a 30-month sentence in April 2026. The cumulative sentences and restitution orders—totaling over $2.7 million across all defendants—demonstrate that law enforcement is treating credential stuffing as a serious federal crime.

Forensic Investigation Commands:

For incident responders investigating potential credential stuffing attacks:

  • Linux – Analyze authentication logs: 
    Check for failed login attempts from a single IP
grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -1r

Identify IPs with excessive failed attempts
lastb | awk '{print $3}' | sort | uniq -c | sort -1r | head -20

  • Windows – Audit failed logon events (Event ID 4625):

    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} | 
Select-Object TimeCreated, @{N='SourceIP';E={$_.Properties[bash].Value}} |
Group-Object SourceIP | Select-Object Name, Count | Sort-Object Count -Descending

4. MFA Bypass and Authentication Hardening

While the DraftKings attack did not explicitly involve MFA bypass, credential stuffing attacks increasingly target accounts protected by multi-factor authentication through techniques like SIM swapping, push notification fatigue, and OTP interception. Organizations must implement robust authentication controls that go beyond simple username-password verification.

Implementing Adaptive Authentication:

Adaptive authentication evaluates risk factors in real-time and adjusts authentication requirements accordingly:

 Pseudo-code for adaptive authentication logic
def evaluate_login_risk(user, request):
risk_score = 0

Check if credentials appear in breach database
if is_password_breached(user.password_hash):
risk_score += 40

Check device fingerprint
if not is_known_device(user.id, request.device_fingerprint):
risk_score += 25

Check geographic velocity
if geographic_velocity_exceeds_threshold(user.id, request.ip):
risk_score += 25

Check login time patterns
if not matches_historical_pattern(user.id, request.timestamp):
risk_score += 10

if risk_score > 50:
require_mfa(user)
elif risk_score > 30:
require_captcha()
else:
allow_login()

Nginx Rate Limiting for Login Endpoints:

 Limit by IP address
limit_req_zone $binary_remote_addr zone=login_zone:10m rate=10r/m;

Limit by username to prevent credential stuffing against specific accounts
limit_req_zone $username zone=username_zone:10m rate=3r/m;

location /api/login {
limit_req zone=login_zone burst=20 nodelay;
limit_req zone=username_zone burst=5;
proxy_pass http://backend;
}
  1. Cloud Security and API Hardening for Financial Platforms

The DraftKings attack targeted a platform handling sensitive financial transactions, including payment method management and fund withdrawals. Organizations operating in regulated industries must implement rigorous API security controls to prevent similar attacks.

API Security Best Practices:

  1. Implement OAuth 2.0 with PKCE: Use Proof Key for Code Exchange to prevent authorization code interception attacks.

2. Enforce Strong Session Management:

  • Implement short-lived access tokens (15-30 minutes)
  • Use refresh tokens with rotation
  • Invalidate sessions on suspicious activity

3. API Rate Limiting by User and Endpoint:

 Flask-Limiter example
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address

limiter = Limiter(app, key_func=get_remote_address)

@app.route('/api/withdraw')
@limiter.limit("5 per hour")
def withdraw():
 Withdrawal logic
  1. Webhook Security: Implement signature verification for all incoming webhooks: 
    import hmac
import hashlib</li>
</ol>

def verify_webhook_signature(payload, signature, secret):
expected = hmac.new(
secret.encode(),
payload.encode(),
hashlib.sha256
).hexdigest()
return hmac.compare_digest(signature, expected)

    5. Cloud WAF Configuration (AWS WAF):

    {
"Name": "RateBasedRule",
"Priority": 1,
"Action": { "Block": {} },
"VisibilityConfig": { "SampledRequestsEnabled": true },
"RateBasedRule": {
"Limit": 2000,
"RateKey": "IP"
}
}

    6. Detecting and Disrupting Account Resale Operations

    Austad sold access to compromised accounts through his own online shop and other platforms. Organizations can proactively monitor for their customers’ exposed credentials appearing on criminal marketplaces.

    Monitoring for Exposed Credentials:

    • Dark Web Monitoring Services: Deploy solutions that scan criminal forums and marketplaces for mentions of your domain or customer credentials.
    • Credential Leak Detection: Implement systems that check new login attempts against known breach databases.
    • Honeypot Accounts: Deploy decoy accounts to detect when attackers are targeting your platform.

    Automated Breach Notification Script:

    !/bin/bash
 Check for domain mentions in Have I Been Pwned
DOMAIN="yourcompany.com"
curl -s "https://haveibeenpwned.com/api/v3/breaches?domain=$DOMAIN" | jq '.[].Name'

    Incident Response Playbook for Credential Stuffing:

    1. Detection: Alert on anomalous login patterns, excessive failed attempts, or successful logins from new locations.
    2. Containment: Immediately lock affected accounts and require password reset.
    3. Investigation: Review authentication logs, identify compromised credentials, and determine scope.
    4. Remediation: Force password changes for all potentially affected users, implement additional authentication controls.
    5. Notification: Inform affected users and regulatory bodies as required.
    6. Recovery: Monitor for recurring attacks and adjust defensive controls.

    7. Password Security Education and User Awareness

    The root cause of the DraftKings breach was password reuse. Users who maintained the same password across multiple platforms became vulnerable when their credentials were exposed in unrelated data breaches. Organizations must invest in user education and implement technical controls that guide users toward better password hygiene.

    User Education Key Messages:

    • Never reuse passwords across different platforms
    • Use password managers to generate and store unique, complex passwords
    • Enable multi-factor authentication wherever available
    • Monitor accounts for unauthorized activity

    Linux Command for Password Complexity Checking:

     Check password complexity policies in /etc/pam.d/common-password
grep "pam_pwquality" /etc/pam.d/common-password

    Windows Password Policy Configuration (PowerShell):

     Set minimum password length and complexity
Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" `
-MinPasswordLength 12 `
-ComplexityEnabled $true `
-PasswordHistoryCount 24

    Implementing Breached Password Detection at Login:

    import requests
import hashlib

def check_password_breached(password):
"""Check if password appears in Have I Been Pwned database"""
sha1 = hashlib.sha1(password.encode()).hexdigest().upper()
prefix, suffix = sha1[:5], sha1[5:]

response = requests.get(f"https://api.pwnedpasswords.com/range/{prefix}")
if response.status_code == 200:
hashes = [line.split(':')[bash] for line in response.text.splitlines()]
return suffix in hashes
return False

    What Undercode Say:

    • Password Reuse is the Weakest Link: The DraftKings breach succeeded不是因为 sophisticated zero-day exploits, but because users reused passwords across platforms. Organizations must treat credential reuse as a systemic risk requiring both technical controls and user education.

    • Law Enforcement is Taking Action: The coordinated prosecution of all three defendants—Garrison, Stokes, and Austad—with sentences ranging from 18 to 30 months demonstrates that credential stuffing is being treated as serious computer intrusion. The $1.3 million restitution order against Austad alone sends a powerful deterrent message.

    • Criminal Marketplaces Enable Scale: The operation of dedicated “Shops” for selling compromised accounts transforms isolated intrusions into a scalable criminal enterprise. Organizations must monitor for their customers’ accounts appearing on these marketplaces.

    • Hubris Accelerates Prosecution: Austad’s private messages mocking the FBI’s investigation provided prosecutors with compelling evidence of criminal intent and consciousness of guilt. Cybercriminals who believe they are untouchable often leave the digital breadcrumbs that lead to their conviction.

    • Credential Stuffing is a Business Model: The group added payment methods to 1,600 accounts and stole $600,000, while also selling access to thousands more. This hybrid approach—direct theft plus account resale—maximizes criminal profit and requires comprehensive defensive strategies.

    • Restitution Exceeds Initial Loss Estimates: DraftKings initially reported less than $300,000 stolen, but the final restitution order against Austad alone reached $1.3 million. Organizations must prepare for the full financial impact of breaches, including legal costs, regulatory fines, and restitution.

    • MFA Alone is Not Enough: While multi-factor authentication significantly reduces risk, credential stuffing attacks increasingly target MFA-protected accounts through social engineering and push notification fatigue. Adaptive authentication and risk-based controls are essential.

    • Monitoring Must Include Payment Methods: The attackers added their own payment methods to victim accounts. Security teams must monitor for unusual payment method additions and withdrawal patterns, not just login activity.

    • Credential Stuffing is Preventable: Unlike zero-day exploits, credential stuffing can be effectively mitigated through rate limiting, breached password screening, and user education. The DraftKings breach was preventable, making it all the more damaging.

    • The Sentence Fits the Crime: While 18 months may seem lenient for $600,000 in theft, the combination of prison time, supervised release, forfeiture, and restitution totaling over $1.8 million creates a significant deterrent for aspiring cybercriminals.

    Prediction:

    • +1 Credential stuffing attacks will continue to rise as data breaches proliferate, but organizations that implement breached password screening and adaptive authentication will significantly reduce their exposure. The DraftKings case provides a compelling business case for investing in these controls.

    • +1 Law enforcement coordination across jurisdictions will improve, leading to more prosecutions of credential stuffing operators. The successful prosecution of all three defendants in this case demonstrates the effectiveness of multi-agency collaboration.

    • -1 The criminal marketplace ecosystem will evolve to include more sophisticated vetting and escrow services, making it harder for law enforcement to infiltrate and disrupt these operations.

    • -1 As password reuse remains endemic, attackers will continue to succeed against platforms that fail to implement basic credential stuffing defenses. The DraftKings breach may be just the beginning of a wave of similar attacks targeting fintech and gaming platforms.

    • -1 AI-powered credential stuffing tools will accelerate attack speed and sophistication, allowing attackers to test billions of credential combinations more efficiently and evade traditional rate-limiting defenses.

    • +1 Regulatory bodies will increasingly mandate breached password screening and multi-factor authentication for financial services, raising the baseline security posture across the industry.

    • -1 The economics of account takeover will attract more organized criminal groups, transforming credential stuffing from a solo hacker activity into a structured criminal enterprise with dedicated roles for credential acquisition, validation, monetization, and money laundering.

    • +1 Passwordless authentication technologies—including passkeys, biometrics, and FIDO2—will gain mainstream adoption as organizations seek to eliminate the password reuse problem at its source.

    • -1 Small and medium-sized businesses with limited security resources will remain vulnerable to credential stuffing, becoming attractive targets for attackers seeking easy entry points.

    • +1 The DraftKings case will serve as a seminal legal precedent, establishing credential stuffing as a federal crime with significant financial consequences, potentially deterring future attackers who might otherwise view it as a low-risk, high-reward activity.

    ▶️ Related Video (68% Match):

    https://www.youtube.com/watch?v=cCafx41scIM

    🎯Let’s Practice For Free:

    🎓 Live Courses & Certifications:

    Join Undercode Academy for Verified Certifications

    🚀 Request a Custom Project:

    Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
    [email protected]
    💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

    IT/Security Reporter URL:

    Reported By: Dlross Hacker – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow UndercodeTesting & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: