I’m a professional hacker and I’ve raked in more than $2 million by infiltrating Yahoo, Uber and even the US Government
>
From a prolific cybercriminal to one of the richest ethical ‘bounty hunters’ in the world; a white hat hacker has shared the story of his transformation in an exclusive interview with MailOnline.
Tommy DeVoss – known as ‘dawgyg’ – has raked in over $2 million by exploiting thousands of big names for money, including Yahoo, X (formerly Twitter), Uber and even the US government.
This is thanks to sites like HackerOne, which enable ethical hackers to use their skills for the greater good, reporting vulnerabilities in computer systems to help strengthen cybersecurity.
Tommy even received a staggering $180,000 (£147,000) payout in one day for helping Yahoo, and is among just a handful of hackers who have made $2 million (£1.6 million) from the site.
But the 39-year-old hacker from Virginia, US, hasn’t always been on the right side of the tracks, as he’s already ended up in federal prison three times for his previous illegal behavior.
Tommy DeVoss – or ‘dawgyg’ (pictured) – has exploited thousands of big names for money
“When I look back and think, ‘I’m getting ready to go to federal prison,’ I thought my life was basically over,” he told MailOnline.
‘I expected to spend the rest of my life working in a dead-end, meaningless job and barely making any money. I never expected to be where I am today.
“It’s nice to know that I could turn what were once bad things into a good career. It’s nice that I’m now doing things for good and that I don’t have to hide.’
Tommy claims he has been hacking since he was nine, after accidentally learning from members of a chat room he joined.
Initially unaware of the legal limits, he went to the city to experiment with his newly acquired knowledge.
As a black hat, Tommy believes he ultimately exploited over 10,000 governments, armies and corporations out of boredom.
This included Nokia, Sony, Mercedes-Benz and even EA Sports, often as part of a group known as World of Hell.
At one point, he even operated 700 businesses in five minutes after breaking into a hosting provider.
But it was this behavior that earned him three federal prison sentences between 2002 and 2010.
Most notably, he was convicted in 2005 of breaking into US military computers and was even raided twice by FBI agents.
“On June 12, 2002, they came to my door with a full whack and everything,” he told MailOnline.
Tommy DeVoss even received a staggering $180,000 payout in one day for helping Yahoo
‘I wasn’t there, my sister was there. I was at work, but I tried to get off all day, and I finally convinced my boss that I wasn’t feeling well, and he let me leave at 1 p.m.
“So I drove home and when I got to my apartment at that time, there wasn’t a single car in the parking lot.
“Every car was pulling out of the parking lot and it was strange because I had never seen that before.
“And then I tried to unlock my door and open it, but it was locked with a deadbolt that could only be unlocked from the inside. So I started knocking on the door and told my sister to open the door and that she better not smoke.
“Then, next thing I know, the door opens and there’s an M16 in my face.”
He later added, “I have an addictive personality, I also have ADHD, you know.
“So it’s the one thing my mind has never gotten tired of, and the feeling I get when I get a bug or when I break into a system or something that I know is going to be big – the rush is no different than using drugs.’
During his time in prison, Tommy faced months of solitary confinement, during which he was only allowed to make one phone call every thirty days.
It wasn’t until he was released from prison for the fourth time that Tommy realized that legal bug bounties were an option for him
Only after his final release did Tommy realize that legal hacking in the form of ‘bug bounties’ was an option for him.
These programs, put out by various websites and organizations, offer rewards to individuals who identify errors or vulnerabilities in computer systems.
Last year alone, for example, Google paid out a whopping $12 million (£9.8 million) in rewards to 703 paid researchers under its own bug bounty program.
As a result, the tech titan was able to fix almost 3,000 vulnerabilities, with one researcher even bagging $605,000 (£494,899) in a single reward.
“I heard about bug bounties in 2013 or 2014, but I thought it sounded too good to be true, so I didn’t do it,” he continued.
“And then towards the end of 2015, I started seeing people’s posts about bug bounties on Twitter.
“So then I started looking into it and saw there was a bug bounty program on HackerOne.”
HackerOne is a US-based company focused on reducing the risk of security incidents by working with the largest community of trusted ethical hackers.
It hosts numerous bug bounty programs for a range of different organizations, in addition to scenario-based activities that teach people how to get involved.
While Tommy now works as a Staff Security Engineer at US-based Braze, he previously spent 10 to 20 hours a month doing this and earned around $100,000 (£81,000) annually.
He has now hacked the US government, Yahoo, Uber and countless other companies within ethics programs like this one.
Now that he is working and making money legally, he bought his daughter a laptop for her seventh birthday. She also hopes to become a white hat hacker (or a ballerina) one day
Tommy DeVoss (dawgyg) on HackerOne: Here are the public bounty programs he has interacted with. ‘Valid/Closed’ bounties are the number of successful reports he has submitted to the site
Tommy added: “I started hacking Yahoo – they gave me my first bounty in March 2016, and then they just kept going.
“There’s a fair number of us now who make a living from this, but the vast majority don’t.”
Tommy claims that bug bounties are now getting heavier thanks to increased competition.
But for those eager to get started, he advises that perseverance is key.
“If you decide to do this, you can’t be someone who doesn’t handle failure well,” he told MailOnline.
“Bug bounty hunters fail 999,999 times for every time they are successful.
“So you have to be okay with the fact that most of what you do will ultimately go unpaid.”
He later added: ‘So you will fail a lot, but you will continuously learn. You have to have that mentality.’
Last month, Tommy bought his seven-year-old daughter a laptop for her birthday.
She wants to become an ethical hacker like him.
“She tells people her father is a hacker,” he continued.
“She wants to be a hacker like me and a teacher, and she wants to be a ballerina because her mother wanted to be a ballerina.
‘You can make a lot of money with legal hacking.’
The FBI declined to comment on the details of Tommy DeVoss’ criminal history and it is understood his records were redacted by the US military in 2016.