The DOJ’s sentencing announcement for Nathan Austad makes one thing vivid: he and his co-conspirators sent direct messages to each other openly admitting to the fraud, and warned each other to prepare. They kept going anyway.
Austad, alias “Snoopy,” received 18 months in federal prison after pleading guilty in December 2025 to conspiracy to commit computer intrusion. He and co-conspirators ran credential stuffing attacks against DraftKings in November 2022, compromising 60,000 accounts. Hackers added payment methods to 1,600 of them and stole $600,000.
Austad ran his own storefront selling access to hacked accounts, named after the Peanuts character. Investigators found his cryptocurrency wallets held roughly $465,000. The court ordered $463,684 in forfeiture and $1,327,061 in restitution on top of the prison term.
I read the SDNY sentencing press release this week. U.S. Attorney Jay Clayton’s quote is direct: the defendants “acknowledged the federal investigation into their conduct while they were committing their crimes, even having the hubris to say the FBI could not do anything about it. They were wrong.”
Austad’s 18 months matches Joseph Garrison’s sentence from January 2024. Kamerin Stokes, charged alongside Austad in January 2024, got 30 months in April 2026. All three are heading to federal prison.
Credential stuffing has historically been treated as low-level opportunistic fraud: you exploited someone else’s data breach, not your own intrusion. The SDNY’s three consecutive convictions reframe it. When you’re running a storefront and pocketing $465,000 in crypto, don’t expect a fine. Expect a cell.
Three years of supervised release follow Austad’s term — worth auditing your organization’s credential hygiene this quarter.
Rebecca Lauren