From a prolific cybercriminal to one of the world’s richest ethical ‘bounty hunters’; A white hat hacker has shared the story of his transformation in an exclusive interview with MailOnline.
Tommy DeVoss – famously known as ‘dawgyg’ – has raised more than $2m (£1.6m) by exploiting thousands of big names for cash, including Yahoo, X (formerly Twitter), Uber and even the U.S. government.
This is due to sites like HackerOne, which allow ethical hackers to use their skills for the greater good, by reporting vulnerabilities within computer systems to help bolster cybersecurity.
Tommy was even paid a staggering $180,000 (£147,000) in one day for helping Yahoo, and is among a handful of hackers who have made $2m (£1.6m) on the site.
But the 39-year-old hacker from Virginia, US, hasn’t always been on the right side, having faced federal prison three times due to his previously illegal behavior.
Tommy DeVoss, or ‘dawgyg’ (pictured), has exploited thousands of big names for money
“Looking back and thinking, ‘I’m getting ready to go to federal prison,’ I thought my life was effectively over,” he told MailOnline.
‘I expected to be working a dead-end, meaningless job for the rest of my life, barely making any money. I never expected to be where I am now.
‘It’s good to know that I can turn what was once a bad thing into a good career. It’s good that now I’m doing things for good and I don’t have to hide.’
Tommy claims that he has been hacking since he was nine years old after learning about the members of a chat room he joined by accident.
At first he was unaware of the legal limits, but he went to the city to experiment with his newly acquired knowledge.
As a black hat, Tommy believes he ended up exploiting over 10,000 governments, militaries, and companies simply out of boredom.
This included companies like Nokia, Sony, Mercedes-Benz and even EA Sports, often as part of a group known as World of Hell.
At one point, it even blew up 700 companies in five minutes after breaking into a hosting provider.
But it was this behavior that earned him three federal prison sentences between 2002 and 2010.
Notably, in 2005 he was convicted of breaking into US military computers and was even raided by FBI agents on two separate occasions.
“On June 12, 2002, they came bang and everything to my door,” he told MailOnline.
Tommy DeVoss even received a staggering $180,000 payment in one day for helping Yahoo
“I wasn’t there for that, my sister was there. I was at work, but I had been trying to get out all day, and I finally convinced my boss that I wasn’t feeling well and he let me out at like one in the morning. late.
“So I drove home and when I got to my apartment at that point, there wasn’t a single car in the parking lot.
‘All the cars were outside the car park and it was strange because I had never seen that.
‘And then I tried to unlock the door and open it, but it was locked with a bolt that could only be opened from the inside. So, I started banging on the door, telling my sister to open it and that she better not smoke.
“Then the next thing I know, the door opens and there’s an M16 in my face.”
He later added: “I have an addictive personality, I also have ADHD, you know?”
“So it’s the one thing my mind has never gotten tired of, and the feeling I get when I get the bug or get into a system or something, I know it’s going to be big: the rush is no different than doing drugs .’
During his time in prison, Tommy faced months of solitary confinement in which he was only allowed to make one phone call every 30 days.
It wasn’t until his fourth release from prison that Tommy realized that legal bug bounties were an option for him.
Only after his final release did Tommy realize that legal piracy in the form of “bug bounties” was an option for him.
These programs, published by various websites and organizations, offer rewards to people who identify errors or vulnerabilities within computer systems.
For example, last year alone, Google paid out a staggering $12 million (£9.8 million) in rewards to 703 paid researchers within its own bug bounty program.
As a result, the tech titan was able to fix almost 3,000 vulnerabilities, with one researcher even pocketing $605,000 (£494,899) in a single bounty.
“I heard about bug bounties in 2013 or 2014, but I thought it sounded too good to be true, so I didn’t do it,” he continued.
‘And then towards the end of 2015, I started seeing articles from people about bug bounties on Twitter.
“So I started looking into it and saw that there was a bug bounty program on HackerOne.”
HackerOne is a US-based company that focuses on reducing the risk of security incidents by working with the largest community of trusted ethical hackers.
It hosts countless bug bounty programs for a variety of different organizations, as well as scenario-based activities that teach people how to participate.
While Tommy now works as a staff security engineer at US-based Braze, he previously spent 10 to 20 hours a month doing this, earning approximately $100,000 (£81,000) each year.
Now it has hacked the US government, Yahoo, Uber and many other companies within ethical programs like this.
Now employed and earning money legally, he bought his daughter a laptop for her seventh birthday. She also hopes to one day become a white hat hacker (or a dancer).
Tommy DeVoss (dawgyg) on HackerOne: Lists public bounty programs he has interacted with. ‘Valid/Closed’ rewards are the number of successful reports he has submitted on the site.
Tommy added: “I started hacking Yahoo, they gave me my first bounty in March 2016 and then it went on from there.”
“Now there are a decent number of us who make a living at this, but the vast majority don’t.”
Tommy claims that bug bounties are now becoming more difficult thanks to increased competition.
But for those interested in getting started, he warns that perseverance is the key.
“If you decide to do this, you can’t be someone who doesn’t take failure well,” he told MailOnline.
‘Bug bounty hunters fail 999,999 times for every time they succeed.
“So you have to accept the fact that most of what you do will end up unpaid.”
He later added: ‘So you are going to fail a lot, but you will be constantly learning. You have to have that mentality.”
Last month, Tommy bought his seven-year-old daughter a laptop for her birthday.
She wants to be an ethical hacker like him.
“She tells people that her dad is a hacker,” he continued.
‘She wants to be a hacker like me and a teacher, and she wants to be a dancer because her mother wanted to be a dancer.
“You can make a lot of money hacking legally.”
The FBI declined to comment on the details of Tommy DeVoss’ criminal history and it is understood his records were redacted by the US military in 2016.
