Damian Williams, the United States Attorney for the Southern District of New York, and James Smith, the Assistant Director in Charge of the New York Field Office of the Federal Bureau of Investigation (“FBI”), announced the unsealing of a six-count criminal Complaint charging NATHAN AUSTAD, a/k/a “Snoopy,” and KAMERIN STOKES, a/k/a “TheMFNPlug,” in connection with a scheme to hack user accounts at a fantasy sports and betting website (the “Betting Website”) and sell access to those accounts in order to steal hundreds of thousands of dollars from them. AUSTAD was arrested today in Farmington, Minnesota, and is expected to be presented later today before U.S. Magistrate Judge David T. Schultz in the District of Minnesota. STOKES was arrested today in Memphis, Tennessee, and is expected to be presented later today before U.S. Magistrate Judge Annie T. Christoff in the Western District of Tennessee.
U.S. Attorney Damian Williams said: “As alleged, Nathan Austad and Kamerin Stokes were involved a scheme to hack into the accounts of tens of thousands of victims and then to sell access to those stolen accounts online. Our office is relentless in tracking down the perpetrators of cybercrime. Earlier this month, we announced an SDNY Whistleblower Pilot Program to encourage early and voluntary self-disclosure of criminal activity. To all cybercriminals: call us before we call you.”
FBI Assistant Director in Charge James Smith said: “Cyberattacks are growing increasingly more sophisticated, targeting all manner of businesses and posing a great risk to economic security. Nathan Austad and Kamerin Stokes were allegedly part of a cyber intrusion that resulted in hundreds of thousands of dollars being stolen from victims’ accounts. As these defendants found out, if you conduct a cyberattack for profit, you can bet the FBI can and will bring you to justice.”
As alleged in the Complaint:
On or about November 18, 2022, AUSTAD, Joseph Garrison, and others launched a “credential stuffing attack” on the Betting Website. During a credential stuffing attack, a cyber threat actor collects stolen credentials, or username and password pairs, obtained from other large-scale data breaches of other companies, which can be purchased on the darkweb. The threat actor then systematically attempts to use those stolen credentials to obtain unauthorized access to accounts held by the same user with other companies and providers, in order to compromise accounts where the user has maintained the same password. Here, in connection with the attack on the Betting Website, there was a series of attempts to log into the Betting Website accounts using a large list of stolen credentials.
AUSTAD and Garrison successfully accessed approximately 60,000 accounts at the Betting Website (the “Victim Accounts”) through the credential stuffing attack. In some instances, the individuals who unlawfully accessed the Victim Accounts were able to add a new payment method on the account, deposit $5 into that account through the new payment method to verify that method, and then withdraw all the existing funds in the Victim Account through the new payment method (i.e., to a newly added financial account belonging to the hacker), thus stealing the funds in the Victim Account.
Access to the Victim Accounts were sold on various websites that traffic in stolen accounts, which are frequently referred to as “Shops.” AUSTAD and Garrison sold some of the Victim Accounts on shops that they each directly controlled, and AUSTAD’s shop was named after the character Snoopy from the Peanuts comic strip. A photo of AUSTAD’s Shop website with victim companies redacted is below:
As to other of the Victim Accounts, AUSTAD and Garrison sold them in bulk to co-conspirators, who in turn sold them on their own Shops. STOKES controlled his own Shop, used the alias “TheMFNPlug,” and purchased Victim Accounts in bulk from Garrison. Garrison and STOKES messaged each other as to what prices STOKES should charge and what Garrison’s cut of the sales should be. Garrison provided STOKES with Victim Accounts with a total listed account value of over $125,000.
Photos from STOKES’s Instagram account advertising the availability of Victim Accounts for purchase on his Shop are below, with the name of the Betting Website redacted:
On or about December 2, 2022, AUSTAD messaged about the existence of this investigation, “everyone 3hould’ve been prepared for this before cashing out lol,” and a co-conspirator replied, “lol fbi can’t do shit.” On or about May 19, 2023, AUSTAD messaged about the existence of this investigation, “like we I know the risk when we started lol . . . everyone knows their committing fraud.”
In order to advertise the success of his Shop that sold stolen accounts, AUSTAD used artificial intelligence image generation tools to create images using the following prompts: “8k hyper-realistic digital art snoopy hacking into 8k hyper-realistic computer with hacker stuff on the screen,” “8k hyper realistic snoopy designed jet but instead of smoke trails it has money trails,” and, “100 bill hyper realistic but instead of the president its snoopy.” AUSTAD also controlled cryptocurrency accounts that received cryptocurrency worth approximately $465,000, and those accounts appear to be proceeds of his credential stuffing attacks and sale of stolen accounts.
Ultimately, AUSTAD, STOKES, Garrison, and others stole approximately $600,000 from approximately 1,600 Victim Accounts.
Garrison was previously arrested in connection with the attack on the Betting Website, and, on November 15, 2023, he pled guilty to conspiracy to commit computer intrusion in connection with that attack. Garrison’s sentencing is scheduled for February 1, 2024, at 4:00 p.m. before U.S. District Judge Lewis A. Kaplan.
* * *
AUSTAD, 19, of Farmington, Minnesota, and STOKES, 21, of Memphis, Tennessee, are each charged with (i) conspiracy to commit computer intrusions, which carries a maximum sentence of five years in prison; (ii) unauthorized access to a protected computer to further intended fraud, which carries a maximum sentence of five years in prison; (iii) unauthorized access to a protected computer, which carries a maximum sentence of five years in prison; (iv) wire fraud conspiracy, which carries a maximum sentence of 20 years in prison; (v) wire fraud, which carries a maximum sentence of 20 years in prison; and (vi) aggravated identity theft, which carries a mandatory minimum sentence of two years in prison.
The minimum and maximum potential sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendants will be determined by a judge.
Mr. Williams praised the outstanding work of the FBI. Mr. Williams also thanked the New York City Police Department, U.S. Secret Service, and the U.S. Attorney’s Offices for the District of Minnesota and the Western District of Tennessee for their assistance in the investigation.
The case is being prosecuted by the Office’s Complex Frauds and Cybercrime Unit. Assistant U.S. Attorneys Kevin Mead and Micah Fergenson are in charge of the prosecution.
The charges contained in the Complaint are merely accusations, and the defendants are presumed innocent unless and until proven guilty.
 As the introductory phrase signifies, the entirety of the text of the Complaint and the description of the Complaint set forth herein constitute only allegations, and every fact described therein should be treated as an allegation.