Pierluigi Paganini
April 17, 2026
Kamerin Stokes, 23, from Memphis (aka TheMFNPlug), received a 30-month prison sentence for his role in a 2022 credential stuffing attack against DraftKings. He continued selling stolen login data online even after pleading guilty. The court also ordered three years of supervised release, $125,000 in forfeiture, and $1.3 million in restitution, highlighting the financial impact of the breach and the consequences of ongoing cybercrime activity.
“United States Attorney for the Southern District of New York, Jay Clayton, announced today that KAMERIN STOKES, a/k/a “TheMFNPlug,” was sentenced to 30 months in prison for his role in a scheme to hack user accounts on a fantasy sports and betting website (the “Betting Website”) and sell access to those accounts, resulting in losses of hundreds of thousands of dollars to the users. STOKES was sentenced today before U.S. District Judge Naomi Reice Buchwald.” reads the press release published by DoJ.
In November 2022, attackers carried out a credential stuffing attack against DraftKings using large sets of stolen usernames and passwords bought on the dark web. They tested these credentials across accounts, targeting users who reused the same login details. The attackers managed to access around 60,000 accounts. In some cases, they added new payment methods, deposited small amounts to verify them, and then withdrew the full balance to accounts they controlled. This allowed them to steal funds directly from victims, showing how dangerous password reuse can be and how easily attackers can exploit compromised credentials at scale.
The man sold access to stolen DraftKings accounts through his own online shop under the alias “TheMFNPlug,” handling accounts worth over $125,000. Even after pleading guilty, he reopened the shop, selling stolen accounts from various platforms and promoting it with the slogan “fraud is fun.” He admitted running such operations for years and said he needed money for legal fees. Authorities arrested him again for violating release conditions and placed him back in custody.
“In addition to the prison term, STOKES, 23, of Memphis, Tennessee, was sentenced to three years of supervised release and ordered to pay $125,965.53 in forfeiture and $1,327,061 in restitution.” concludes DoJ. “Mr. Clayton praised the outstanding work of the Federal Bureau of Investigation.”
In November 2022, DraftKings announced that approximately 68,000 accounts had been compromised in another credential stuffing attack.
In November 2023, US teenager Joseph Garrison pleaded guilty to his involvement in the credential stuffing attack. In January 2024, Garrison was sentenced to 18 months in prison.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybercrime)
