$600K DraftKings Hacker Snoopy Draws 18 Months in Prison

A 21-year-old who used the alias “Snoopy” received 18 months in prison for his role in the November 2022 cyberattack on DraftKings customer accounts, a case that began as a reused-password attack but ended with prosecutors describing roughly $600,000 stolen from about 1,600 accounts.

The defendant, Nathan Austad of Minnesota, pleaded guilty in December 2025 to conspiracy to commit computer intrusion, admitting that he and co-conspirators compromised 60,000 DraftKings user accounts, according to BleepingComputer. The DraftKings hacker Snoopy case is now one of three sentencings tied to the same account takeover scheme.

DraftKings hacker Snoopy gets 18 months after a reused-password attack snowballed

The attack targeted customer accounts on DraftKings, the fantasy sports and sports betting platform. The method was credential stuffing, where attackers test previously stolen username and password pairs against another service and break in when users reuse logins.

That distinction matters. The case described attackers exploiting compromised customer credentials, not a confirmed breach of DraftKings’ core systems. But for customers whose accounts were drained, the practical result was the same: unauthorized access, unauthorized payment changes, and stolen funds.

Federal Newswire reported that United States Attorney for the Southern District of New York Jay Clayton announced the sentencing on June 23, and that U.S. District Judge Ronnie Abrams imposed the sentence. Austad had pleaded guilty to one count of conspiring to commit computer intrusion.

Prosecutors said the group launched the attack around November 18, 2022. The attackers added payment methods they controlled to some victim accounts, then withdrew funds.

“Nathan Austad and his co-defendants hacked an online betting website to compromise the accounts of over 60,000 users by purchasing their already stolen credentials on the darkweb and utilizing their previous passwords from other websites,” Clayton said, according to Federal Newswire.

Austad’s sentence also includes three years of supervised release, $463,684 in forfeiture, and $1,327,061 in restitution, according to BleepingComputer. Federal Newswire lists the forfeiture figure as $463,684.48.

DraftKings first disclosed less than $300,000 stolen, prosecutors later described $600,000

The financial picture shifted as the case developed.

In November 2022, DraftKings said hackers accessed customer accounts through credential stuffing that exploited weak passwords or reused login credentials. At the time, the company reported that less than $300,000 had been stolen from affected customers.

A month later, DraftKings disclosed that 67,995 customer accounts had been compromised in the attack. Prosecutors later said Austad and co-conspirators compromised roughly 60,000 user accounts, added payment methods under their control to 1,600 accounts, and stole about $600,000.

The gap is the core tension in this case: credential stuffing can look narrow at first, then expand once investigators map the full chain of logins, withdrawals, resale activity, and crypto flows.

Before vs. after in the DraftKings account attack:

• Initial company disclosure: Less than $300,000 stolen from affected customers.
• Later DraftKings account count: 67,995 customer accounts compromised.
• Prosecutors’ case figure: About 60,000 user accounts compromised.
• Funds prosecutors tied to withdrawals: Roughly $600,000 stolen from about 1,600 victim accounts.
• Austad-linked crypto flow: Approximately $465,000 in assets received by cryptocurrency accounts controlled by Austad, according to the Justice Department details cited by BleepingComputer.

The supplied record does not say whether DraftKings later imposed specific new security measures, issued password resets, or changed authentication requirements. It does show the company disclosed the account access, later revised the compromised-account count, and became part of a federal criminal case.

For readers tracking broader cybersecurity exposure, XOOMAR has also covered how third-party and device security failures can widen risk in Tata Electronics Data Breach Exposes Apple, Tesla Risk and Eight-Year Samsung KNOX Flaw Exposed Galaxy Phones.

“lol fbi can’t do shit” became evidence of the gap between swagger and sentencing

The court record also undercut the attackers’ confidence.

Federal Newswire reported that messages between conspirators showed awareness of law enforcement scrutiny. One co-conspirator wrote, “lol fbi can’t do shit.” Clayton framed the sentence as the answer to that claim.

“The defendants acknowledged the federal investigation into their conduct while they were committing their crimes, even having the hubris to say the FBI could not do anything about it. They were wrong,” Clayton said.

BleepingComputer reported that Austad operated his own shop selling access to stolen accounts and used other platforms for the same purpose. The Justice Department said the shop was named after Snoopy from the Peanuts comic strip.

“AUSTAD directly controlled and profited from his own shop, which was named after the character Snoopy from the Peanuts comic strip,” the U.S. Department of Justice said.

That detail matters because the case was not limited to withdrawals from DraftKings accounts. Prosecutors also described resale infrastructure, including online marketplaces that traffic in stolen account access. In May 2023, authorities charged Joseph Garrison for his role in the scheme, accusing him and co-conspirators of selling access to hacked DraftKings accounts through marketplaces such as the “Goat Shop.”

Three sentencings put account security back on betting apps and users

Austad is the third defendant sentenced in the DraftKings hacker Snoopy case and related investigation.

The practical lesson is blunt. Reused credentials turned into criminal access, account resale, payment-method changes, withdrawals, crypto proceeds, guilty pleas, and prison time.

For users, the strongest takeaway is still basic but non-negotiable:

• Passwords: Don’t reuse gambling, finance, email, or crypto passwords across sites.
• Two-factor authentication: Turn it on where available, especially for accounts tied to balances or payments.
• Account alerts: Treat new payment methods, withdrawal notices, and login warnings as urgent.
• Credential exposure: If a password was used on a breached service, assume attackers will test it elsewhere.

For platforms, the watch item is sharper. Credential stuffing may start outside the company’s systems, but the damage lands inside the customer relationship. As sportsbooks compete for deposits and account activity, weak account protection can quickly become a criminal case, a restitution order, and a trust problem that lasts longer than the initial attack window.

Impact Analysis

• The case shows how reused passwords can turn old data leaks into new financial losses.
• DraftKings customers were affected even without a confirmed breach of the company’s core systems.
• The sentencing underscores growing legal consequences for credential-stuffing attacks.