The Daily Observer London Desk: Reporter- John Furner
From a prolific cybercriminal to one of the richest ethical ‘bounty hunters’ in the world; a white hat hacker has shared the story of his transformation in an exclusive interview.
Tommy DeVoss – famously known as ‘dawgyg’ – has raked in more than $2 million (£1.6 million) by exploiting thousands of big names for cash, including Yahoo, X (formerly Twitter), Uber and even the US Government.
This is thanks to sites like HackerOne, which enable ethical hackers to use their skills for the greater good, by reporting vulnerabilities within computer systems to help bolster cybersecurity.
Tommy even received a staggering $180,000 (£147,000) payout in one day for helping Yahoo, and is among just a handful of hackers to have earned $2 million (£1.6 million) on the site.
But the 39-year-old hacker from Virginia, US, hasn’t always been on the right side of the tracks, having faced federal prison three times due to his previously unlawful behaviour.
Tommy DeVoss – or ‘dawgyg’ (pictured) – has exploited thousands of big names for cash
‘Looking back and thinking “I’m getting ready to go to federal prison”, I thought that my life was effectively over,’ he told.
‘I expected to be working in a dead-end, meaningless job for the rest of my life barely making money. I never expected to be where I am right now.
‘It’s nice to know that I could turn what was once bad stuff into a good career. It’s nice that I’m doing things for good now and I don’t have to hide.’
Tommy claims he’s been hacking since the age of nine after learning from members of a chatroom he joined completely by accident.
Initially unaware of the legal boundaries, he went to town experimenting with his newly found knowledge.
As a black hat, Tommy believes he eventually exploited well over 10,000 governments, militaries and companies just out of boredom.
This included the likes of Nokia, Sony, Mercedes-Benz and even EA Sports, often as part of a group known as World of Hell.
At one point, he even exploited 700 companies in five minutes after breaking into a hosting provider.
But it was this behaviour that landed him three federal prison sentences spanning from 2002 to 2010.
Most notably, in 2005 he was convicted of breaking into US military computers and was even raided by FBI agents on two separate occasions.
‘June 12 2002, they came with the full swat and everything at my door,’ he told.
Tommy DeVoss even received a staggering $180,000 payout in one day for helping Yahoo
‘I wasn’t there for that one – my sister was there. I was at work, but I had been trying to get off the the whole day, and finally convinced my boss that I wasn’t feeling good, and he let me leave at like one o’clock in the afternoon.
‘So, I drove home and when I got to my apartment at the time, there was not a single car in the parking lot.
‘Every single car was out of the parking lot, and it was strange because I had never seen that.
‘And then I tried to unlock my door and open it, but it was locked on a dead bolt that could only be unlocked inside. So, I started beating on the door, telling my sister to open the door, and that she better not be smoking.
‘Then the next thing I know the door opens, and there’s an M16 in my face.’
He later added: ‘I’ve got an addictive personality, I’ve also got ADHD, you know.
‘So it’s the one thing that my mind has never grown tired of, and the feeling that I get when I like get the bug or I break into a system or something I know it’s going to be a big – the rush is no different to doing drugs.’
During his time in prison, Tommy faced months of solitary confinement in which he was only allowed to make one phone call every 30 days.
It was only on his fourth release from prison that Tommy realised that legal bug bounties were an option for him
It was only after his final release that Tommy realised legal hacking in the form of ‘bug bounties’ were an option for him.
These programs, put out by various websites and organisations, offer rewards to individuals who identify errors or vulnerabilities within computer systems.
For instance, last year alone, Google paid out a staggering $12million (£9.8million) in rewards to 703 paid researchers within its own bug bounty program.
The tech titan was able to fix almost 3,000 vulnerabilities as a result – with one researcher even bagging $605,000 (£494,899) in a single reward.
‘I heard about bug bounties in 2013 or 2014, but I thought it sounded too good to be true so I didn’t do it,’ he continued.
‘And then towards the end of 2015 I started seeing people’s write-ups of bug bounties on Twitter.
‘So, then I started looking into it and saw there was a bug bounty program on HackerOne.’
HackerOne is a US-based firm that’s focused on reducing the risk of security incidents by working with the largest community of trusted ethical hackers.
It hosts countless bug bounty programs for a range of different organisations in addition to scenario-based activities that teach people how to get involved.
While Tommy now works as a Staff Security Engineer at the US-based Braze, he would previously spend 10 to 20 hours a month doing this, earning roughly $100,000 (£81,000) each year.
He’s now hacked the US Government, Yahoo, Uber and numerous other firms within ethical programs such as this.
Now employed and earning money legally, he’s bought his daughter a laptop for her 7th birthday. She hopes to one day become a white hat hacker (or a ballerina) too
Tommy DeVoss (dawgyg) on HackerOne: Listed are the public bounty programs that he has interacted with. ‘Valid/Closed’ bounties are the number of successful reports he has submitted on the site
Tommy added: ‘I started hacking Yahoo – they gave me my first bounty in March of 2016, and then they just went from there.
‘There’s a decent number of us now that are make a living out of this, but the vast majority are not.’
Tommy claims that bug bounties are now getting tougher thanks to heightened competition.
But for those keen to get started, he advises that perseverance is key.
‘If you decide to do this, you cannot be somebody that doesn’t take failure well,’ he told.
‘Bug bounty hunters fail 999,999 times for every time that they’re successful.
‘So you have to be okay with the fact that most of what you do is gonna end up being unpaid.’
He later added: ‘So you’re going to fail a lot, but you’re gonna be constantly learning. You’ve got to have that mindset.’
Just last month, Tommy bought his seven-year-old daughter a laptop for her birthday.
She wants to be an ethical hacker just like him.
‘She tells people that her daddy is a hacker,’ he continued.
‘She wants to be a hacker like me and a teacher, and she wants to be a ballerina cause her mum wanted to be a ballerina.
‘You can make really good money from legally hacking.’
The FBI declined to comment on the details of Tommy DeVoss’s criminal history, and it’s understood that his records were redacted by the US military in 2016.