Damian Williams, the United States Attorney for the Southern District of New York, announced the guilty plea today of KAMERIN STOKES, a/k/a “TheMFNPlug,” in connection with a scheme to hack user accounts at a fantasy sports and betting website (the “Betting Website”) and sell access to those accounts in order to steal hundreds of thousands of dollars from them. STOKES pled guilty on April 25th 2024 to conspiracy to commit computer intrusion before U.S. District Judge Naomi Reice Buchwald.
U.S. Attorney Damian Williams said: “With today’s guilty plea, this Office has successfully prosecuted a second member of a scheme to hack fantasy sports and betting accounts and sell access to them online. Kamerin Stokes and his co-defendants greedily lined their own pockets by profiting off of harmful hacks that drained victims of hundreds of thousands of dollars and erode the public’s trust in online platforms. Hackers and cybercriminals who sell stolen information online should be warned that this Office is watching and will continue to protect internet-users from malicious actors.”
According to the charging documents and other filings and statements made in court
On or about November 18, 2022, several individuals launched a “credential stuffing attack” on the Betting Website. During a credential stuffing attack, a cyber threat actor collects stolen credentials, or username and password pairs, obtained from other large-scale data breaches of other companies, which can be purchased on the darkweb. The threat actor then systematically attempts to use those stolen credentials to obtain unauthorized access to accounts held by the same user with other companies and providers in order to compromise accounts where the user has maintained the same password. Here, in connection with the attack on the Betting Website, there was a series of attempts to log into the Betting Website accounts using a large list of stolen credentials.
Those individuals successfully accessed approximately 60,000 accounts at the Betting Website (the “Victim Accounts”) through the credential stuffing attack. In some instances, the individuals who unlawfully accessed the Victim Accounts were able to add a new payment method on the account, deposit $5 into that account through the new payment method to verify that method, and then withdraw all the existing funds in the Victim Account through the new payment method (i.e., to a newly added financial account belonging to the hacker), thus stealing the funds in the Victim Account.
Access to the Victim Accounts were sold on various websites that traffic in stolen accounts, which are frequently referred to as “Shops.” STOKES controlled his own Shop, used the alias, “TheMFNPlug,” and purchased Victim Accounts in bulk. STOKES obtained Victim Accounts from the Betting Website with a total listed account value of over $125,000 and then offered access to those accounts for sale on his Shop.