Memphis Cybercriminal Sentenced for DraftKings Account Trafficking Scheme
A federal judge sentenced 23-year-old Kamerin Stokes of Memphis, Tennessee, to 30 months in prison on April 16, 2026, for operating a large-scale scheme that compromised tens of thousands of DraftKings sports betting accounts. The sentencing follows Stokes' guilty plea to charges of computer fraud and abuse, marking another significant prosecution in the growing wave of credential stuffing attacks targeting online gambling platforms.
Court documents reveal that Stokes orchestrated his operation between 2023 and 2024, systematically targeting DraftKings users through automated credential stuffing attacks. These attacks leveraged massive databases of previously breached usernames and passwords, exploiting users who reused the same login credentials across multiple online services. The technique has become increasingly common as cybercriminals capitalize on the widespread practice of password reuse among consumers.
The investigation, led by federal cybercrime units, uncovered evidence that Stokes had developed sophisticated automation tools to test millions of credential combinations against DraftKings' login systems. When successful logins were identified, Stokes would harvest account details including stored payment methods, betting history, and available account balances. He then packaged this access for sale on underground cybercriminal marketplaces, offering buyers the ability to drain funds or place unauthorized bets using victims' accounts.
Federal prosecutors emphasized the scale of the operation during sentencing proceedings, noting that the scheme affected users across multiple states where DraftKings operates legally. The case represents one of the largest prosecutions targeting sports betting platform fraud, as law enforcement agencies adapt to address cybercrime in the rapidly expanding online gambling sector. Investigators worked closely with CISA cybersecurity teams to understand the technical methods used in the attacks.
Scope of DraftKings Account Compromise and User Impact
The credential stuffing operation compromised tens of thousands of DraftKings accounts across the platform's active user base, which spans 21 states and multiple Canadian provinces where the company operates legally. Victims included both casual sports bettors and high-volume users who maintained significant account balances for regular wagering activities. Court filings indicate that compromised accounts contained varying amounts of stored funds, with some victims losing hundreds or thousands of dollars before discovering the unauthorized access.
DraftKings users who reused passwords from previous data breaches were particularly vulnerable to Stokes' attacks. The company's user base includes millions of active accounts, making it an attractive target for credential stuffing operations that rely on volume to achieve success. Affected users experienced unauthorized withdrawals, fraudulent bet placements, and in some cases, complete account takeovers that locked legitimate owners out of their profiles. The geographic spread of victims reflects DraftKings' broad market presence, with users in states including New York, Pennsylvania, Illinois, and Michigan among those impacted.
Technical Methods and Law Enforcement Response to Account Trafficking
Stokes employed automated botnet infrastructure to conduct his credential stuffing attacks, using residential proxy networks to mask the true origin of login attempts and evade DraftKings' security monitoring systems. The operation utilized credential databases obtained from previous major data breaches, including collections that contained millions of email and password combinations from compromised websites and services. Federal investigators found evidence that Stokes had purchased access to these databases through darkweb marketplaces, then developed custom scripts to automate the testing process against DraftKings' authentication systems.
The investigation involved collaboration between federal cybercrime prosecutors, the FBI's Cyber Crime Task Force, and private sector security researchers who helped trace the technical infrastructure used in the attacks. Law enforcement officials worked with Microsoft security teams and other technology partners to analyze the malware and automation tools recovered from Stokes' systems. The case demonstrates the increasing sophistication of credential stuffing operations and the challenges facing online platforms in detecting and preventing these attacks while maintaining user accessibility.
DraftKings has since implemented additional security measures including enhanced monitoring for suspicious login patterns, mandatory two-factor authentication for high-value accounts, and improved detection systems for automated attack traffic. Users are advised to enable all available security features, use unique passwords for their DraftKings accounts, and monitor account activity regularly for signs of unauthorized access. The company has also expanded its cooperation with law enforcement agencies to facilitate rapid response to similar threats in the future.
