Darknet Diaries - 60: dawgyg
Episode Date: March 3, 2020This is a story about the hacker named “dawgyg” and how he made over $100,000 in a single day, from hacking.Thanks to our guest dawgyg for telling his story.SponsorsThis episode is sponso...red by SentinelOne - to learn more about their endpoint security solutions and get a 30-day free trial, visit sentinelone.com/darknetdiariesThis episode was sponsored by Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and when signing up with a new account use code darknet2020 to get a $20 credit on your next project.Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.Sources Video: The Million-Dollar Hacker | Bloomberg Video: Hacker makes big money as a bug bounty hunter | Kim Komando Show https://hackerone.com/dawgyg dawgyg wins h1415 https://www.hackerone.com/blog/meet-six-hackers-making-seven-figures USA v. DeVoss court records
Transcript
Discussion (0)
A quick warning right here at the beginning.
This episode does contain some swear words and some bad language.
If that's an issue for you, well, maybe skip this one.
Hey, it's Jack, host of the show.
One of the reasons I like making this show is to smash the stereotype of what a hacker looks like.
And today's guest definitely does that.
I don't know. I'm trying to understand get a picture
of your vibe here you're almost like uh you almost look like eminem a little not quite but you know
yeah i got told that a lot what do you call what would you characterize yourself well i actually
used to take a lot of pride in the fact that um i don't look like the average hacker. I guess what you, what most people would say I was,
was do you remember the term wigger?
Yeah.
W-H-I-G-G-R, white guys that dressed like black guys,
listened to rap music and stuff like that.
My first time in prison and up until that point,
I guess that's technically what most people would see me as.
Like I wore baggy clothes, sagging pants,
backwards hat and everything like that.
I got tattooed pain is love from a Ja Rule song
on the back of my head.
I got the laugh now and cry later faces.
These are tattoos he got while in prison.
So on my right bicep, I put a little tribal looking face that was smiling and it said, laugh now.
And then on my left side, I had a face that was crying and it said, cry later.
Federal prison.
In federal prison, we all have prison numbers.
And the last three digits of your number show where you were arrested.
And my number was 38141-083. 083 is the Eastern
District of Virginia. This is Doggy G and his story perplexes me because of stuff he says like
October 18th of 2018, I was paid $160,000 in that one day. So what did he do to make $160,000 in one day?
Well, he's a hacker.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a subscription service
that finds and removes personal information from hundreds of data brokers websites and continuously
works to keep it off. Data brokers hate them because Delete.me makes sure your personal
profile is no longer theirs to sell. I tried it and they immediately got busy scouring the
internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today get 20% off your Delete Me plan when you go to joindeleteme.com slash dark net diaries and use promo code dark net at
checkout. The only way to get 20% off is to go to join delete me.com slash dark net diaries and
enter code dark net at checkout. That's join delete me.com slash dark net diaries. Use code dark net.
Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, incident response, and active monitoring to help keep businesses
secure. I know a few people who work over there, and I can vouch they do very good work. If you
want to improve the security of your organization, give them a call. I'm sure they can help. But the
founder of the company,
John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing, securing the
cloud, breaching the cloud, digital forensics, and so much more. But get this, the whole thing
is pay what you can. Black Hills believes that great intro security classes do not need to
be expensive, and they are trying to break down barriers to get more people into the security
field. And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
So Doggy G's real name is Tommy DeVos.
And like many hackers, his story starts out when he was a young boy in a chat room.
I actually joined the wrong chat room by mistake.
It was just like somebody else's private room.
And it was run by a guy that used the alias DZNUTS, D-Z-N-U-T-Z.
But I just did the slash join pound D-Z by mistake.
And this brought him to a chat room full of hackers.
I kind of just hung out in there. I would just keep joining that same room every day after school
for a couple of weeks. So I started like asking him questions. They're like,
who the hell is this kid? Blah, blah, blah. And I got banned like several times.
There's something magical about being in a chat room as a teenager.
They're fun and addicting.
And even though he was banned, he figured out ways to get back in.
I would just disconnect, reconnect, and then go back in again.
And after going in there and spending, I don't know, several months of just keep going back in there repeatedly and asking, just pretty much begging the guy to teach me stuff
because tommy saw this chat room was full of hackers people breaking into computers and networks
that they weren't supposed to and tommy thought this was cool and he wanted to get in on the
action too and he wanted to learn what these hackers were doing and even though they kept
banning him he just kept finding a way back into the channel and was asking them to teach him how to hack.
And eventually they gave in and threw him a bone.
And like the first thing that he told me was go to Yahoo, AltaVista.
He was like, read everything that you can find about hacking.
I want to say this would have been happening in about 94-ish. So actually,
in 1994, Tommy would have only been 12 years old. A preteen still. Well, after bouncing in and out
of all these chat rooms, he finally landed on a name. Doggy G is what he would be known as online.
And that's Doggy spelled D-A-W-Gg-y and so he starts learning some basic hacking techniques
by reading up on it at that time frack was a free online hacking magazine so he probably dove into
that and started reading it from like the first issue and slowly going through it reading every
issue and he learned a few things here and there but hey he's just, so he was just starting out and wasn't very good. But he eventually joined an IRC hacker crew called TDK.
TDK was stood for Those Damn Kids.
The main focus of TDK was IRC FNet wars.
We would build botnets to go and check every single op in our target room
and find a server that didn't have anybody from that server
on it that was an operator and then we would ddos that server to split it off in the network
and then they basically just take over the channel damn you i you're the one who did that
so there was so much back in the day yeah i remember that i remember that because i was
also hanging out in irc channels in 1994 on fnet the exact place where doggy g was trying to do
server splits and take over the channels i remember channels getting taken over by young kids
but at the time i thought it was kind of funny and didn't really take these chat rooms too seriously
and when tommy started calling himself doggy g trying to take over these chat rooms too seriously. And when Tommy started calling himself Doggy G,
trying to take over these chat rooms,
I think this is where he starts trying on his black hat.
That is, he's trying to conduct hacks
that are causing destruction and grief.
Maybe taking over a chat room isn't illegal,
but this would be the beginning of his lifelong hacking career.
What led you up to getting suspended at high school?
So I used to get bored a lot.
Well, I was taking a computer class, but it was QBasic in school.
So a lot of times I'd get bored and wouldn't have anything to do
because I would write my program for the class really fast.
And I would actually DDoS my school's IP address to take our internet down because then we couldn't do class and we'd get to go outside and play.
Yeah, he crashed the school's internet because he would rather go outside and play.
Well, I actually got in trouble for doing that.
They suspended me the first time, three days for that. That was his first suspension from high
school, but it wasn't his only one. Soon after that, he got suspended again. I got expelled from
school because I broke into a military base in Korea and used their computer systems. I hijacked
the AOL account that the general of the base was using. And I sent an email from his email address
from his AOL account to the superintendent of Hanover County that one of the high schools in
his county was going to blow up at 1030 in the morning.
A convoluted scheme, but it was done for the same reasons as the first one.
He just didn't want to be in school.
He wanted to be able to skip school, go to the river, smoke weed and just have fun for the day.
It worked, Sort of.
School was canceled, but he didn't get away with it.
I went to school the next day.
There was a guy in a suit on each side of the door,
and they were like, you need to come with us.
I got expelled.
So how did he get caught?
Did that military base in Korea do some forensic investigation
and trace this back to a teenager in West Virginia?
No.
Did the police track his online connections?
No again.
What happened is that he told someone
that he's the one who got school canceled that day.
And that person went and told someone at the school
that Tommy is who sent in this bomb threat.
And because I had used the internet to do it,
the FBI ended up raiding my house about two weeks after it happened to take my computers.
And that was the first time that I was charged with computer crimes.
I was actually charged with violating the Computer Fraud and Abuse Act.
Being a minor, a sophomore, one of those damn kids in the eyes of the law,
this could get bad pretty quick.
The feds took his computers but let him go free as they investigated the case.
Well, this gave him more time.
More time to hack more stuff.
He got a new computer and slipped on his black hat again.
But forget about TDK at this point.
He was on to more ambitious adventures.
So I started talking to a bunch of other hacking groups.
And I got in contact with a guy named Rafa, who was a member of World of Hell.
And he was telling me about they had rules for the group
where you were only allowed to hack Unix systems.
You were only allowed to target Windows because Windows was too easy.
And they like to only attack government, military, and Fortune 500 companies.
This was great.
Doggy G liked everything about this.
The rules, the people, the stuff he was learning.
So he started hacking with World of Health.
So then in June of 2001, I defaced my first website as part of World of Health.
And it was actually the Virginia.
I broke into the Virginia Department of Informational Technology and defaced www.state.va.us, which was our main state website.
Just from that point on, I just was defacing stuff with World of Health for nonstop for about six to nine months.
Oh, in case you're wondering, deface is just a term used to change what's written on a website. So you can like swap the photo that's on the front page to nine months. Oh, in case you're wondering, D-Face is just a term used to change what's written on a website.
So you can like swap the photo that's on the front page to something else,
or just change what's said there to whatever you want.
In this case, he probably had to prove himself that he was the guy who hacked this site.
So he probably wrote something on there like,
hacked by Doggy G or hacked by World of Hell or something like that.
What were some of the sites that you were hitting
or World of Hell was hitting?
Yahoo.com.ph, Nokia.com,
Stony.com, Dotson, Dunhill, Epson, Fujifilm.
If hacking is a drug,
Mercedes-Benz,
Doggy G was getting addicted,
World Online.
The car company.
AOL.
He was loving this hacking and the World of Hell hacker group.
HP.
Reebok.
But the problem with addictions is that you can overdose.
United Airlines.
Casio.
Motorola.
And you can fall into a world of pain.
Hyundai, Sony Music, Toshiba, Opel, Volvo, EA Sports.
And after the break, the party ends for Doggy G.
Rolex, P-Pfizer, a bunch of Chinese government systems.
The U.S. Department of Energy, U U.S. Court Systems, Venezuelan Military... darknet exposure and was surprised by just how much stolen identity data criminals have at their disposal. From credentials to cookies to PII. Knowing what's putting you and your organization
at risk and what to remediate is critical for protecting you and your users from account
takeover, session hijacking, and ransomware. SpyCloud exists to disrupt cybercrime with a
mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection, you're never in the dark about
your company's exposure from third-party breaches, successful phishes, or info-stealer infections.
Get your free Darknet exposure report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
Creative.com, Audi, Kenwood, Acer.
High schooler Doggy G was still hunched over his monitor wearing a black hat and defacing website after website.
Xerox, Packard Bell, Compact, 3Com. Doing all he could before he turned 18,
which was an adult in the eyes of the law. So I turned 18 in November of 2001. I actually
stopped hacking for a few weeks, but then I got bored again, so I started doing it again.
I hacked consistently until June 12th of 2002. On June 11th, that night, Men in Black 2
had just come out in theaters. So that night before I went to bed, I downloaded Men in Black 2.
The plan was I was going to go to work the next day,
and then I was going to come home from work early,
smoke weed with my sister.
Don't bother calling the CIA.
Forget the FBI.
And we were going to watch that movie.
He got out of work for the same reasons he wanted to get out of school,
so he could go play.
In this case, to play an illegally downloaded movie.
So he goes home to his apartment with his sister,
and they watch Men in Black 2.
But the real Men in Black were knocking on his door.
And I went to push the door open,
but it was yanked open in front of me and an M16 was in my face.
So there was somewhere between 20 and 30 agents inside of my apartment.
My sister was sitting on my couch crying.
My dad was standing in the living room next to her.
And just like when he saw me walk through the door, he just looked at me and shook his head.
They took everything in the house that
was related to computers uh all floppy disk any cd that was in there every computer every computer
component uh every piece of paper that had notes handwritten on them and what was going i mean what
was your emotional level at that point were you like freaking out about this or how were you feeling?
I was, I was scared shitless at the time because I was an adult at that point.
And I was on probation still for the hacking and bomb threat two years before.
Once again, they took all his electronics and computers,
and he had two weeks before his court date.
This is it. I'm like, I've got two weeks of freedom.
They're going to lock me up in two weeks. So I was like, screw it. I'm just going to have fun and do whatever.
So I spent two weeks racing.
I used to street race a lot.
So I spent two weeks street racing, going to the beach a lot,
hanging out with as many of my friends as I could,
trying to sleep with as many different girls as I could.
Now, 19 years old, black hat hacker Tommy DeVos, Doggy G, stands in front of a judge
two weeks later. Hats were not allowed in court. I ended up pleading guilty in October of 2003
to one count of violating the CFAA for breaking into a computer system that controls interstate commerce. I had broken into
a website called bankcolo, B-A-N-K-C-O-L-O dot com and defaced the website. And it turns out it was
for the Colorado Bank and Trust Company. yeah. Messing with a banking website was probably a bad move.
I mean, they're federally regulated and insured,
which means that crimes involving a bank
are probably going to be investigated by federal law enforcement.
The judge asked me to stand up and he looked at me and he said,
Mr. Voss, I do not believe that you're sorry for anything that you've done.
I think the only reason that you are showing any remorse whatsoever is because of the fact that you got caught.
He ended up sentencing me to 27 months in federal prison.
Banning me from computers for 10 years.
And giving me five years of probation.
And I want to say it was $100,000 of restitution that had to be paid.
So then after he pronounced my sentence,
he said,
I now place you in the custody of the U.S. Marshals
to serve your sentence.
And my knees pretty much gave out on me.
I was just, I walked in there expecting to walk back out that day for at least 30 days.
And now all of a sudden, I'm getting locked up for almost two and a half years.
The fun was over. Doggy G's hacking spree was done. Back to being Tommy with no hat to wear
in prison. What were some of the tattoos you got? My first tattoos in prison, I got a tribal
on each one of my biceps, one on each side. That was just a small little tribal and one had a T for my initial and the
other one had a C for the girl I was dating at the time. I got three dots on my right wrist,
which is a Hispanic gang tattoo for Puntos Locos, um, crazy life. Um, I had the words crazy life
put on, um, I don't know what it's called. It's not my forearms, but it's like the back of my arms between my elbow and my wrist.
Crazy was put on one side, life was put on the other side.
I went in with like five or six tattoos and came out with like 25 or 30 total.
Tommy served his two years in prison and got out.
And at this point, it's 2006, he's 22, but still has to serve probation.
So your real probation had 10 years, no computers?
No computers, cell phones, game systems, fax machines, anything that could communicate with other people aside from an actual phone.
I could make phone calls.
I wasn't allowed to touch a cell phone or anything
like that. Even when I would go and get a job, a lot of jobs would have you clock in on a computer.
I wasn't allowed to do that. I had to have another coworker clock me in and out. For the first 30
days or so, when I got out of prison the first time, I didn't do any drugs and I didn't get on
computer or anything. For the first 30 days? This doesn't sound good. But let's not forget,
Tommy was once addicted to hacking. It was all he could think about, not to mention being high.
So even though he went two years without doing any of this,
how long could he hold out now that he's sort of free again?
It turns out 30 days.
I actually started defacing websites again because of how my bedroom was set up in the house.
I used to sit at my computer and I was sitting next to a window that I could see out, but you couldn't see into it.
So I just would always sit there.
And if I saw a car pull in my driveway that I didn't recognize,
I would jump up and take my desktop computer completely apart,
hide different parts of it in various places of the house so it couldn't be found,
and then go and answer the door.
His probation officer would visit sometimes, come by and check on Tommy,
talk to
him, look around his room and make sure he wasn't using a computer because that wasn't allowed on
his probation. And one day when his probation officer did come by, Tommy quickly shut down
the machine, took it all apart and hid it all over his room. But he forgot to hide one thing.
And when the P.O. came into his room, he saw a keyboard on Tommy's bed busted.
This was a violation of his probation, and he had to go back to prison to do more time.
Eventually, he came back home again.
Again, his probation was that he could not use computers,
but Tommy just couldn't keep his fingers off them.
He didn't want to hack anymore, but he was just addicted to computers and would use it
for other things. But the FBI was interested to see if he was going to go back to being a hacker.
The FBI actually watched me for six months. They rented the house across the street from mine,
took pictures of every person that came to my house. The FBI actually collected our trash
to go through it, looking for evidence that I was on a computer hacking again.
As Tommy tells the story, his parents wanted to sell the house and a couple of FBI agents came over posing as potential buyers of the house.
And that's when they saw Tommy on his computer in his room.
And this was a direct violation of his probation again, which was all the evidence they needed.
The FBI went and got
their arrest warrant and came back and knocked on the door. When I opened it, they bust through the
door and it was the FBI, DCIS, which is the Defense Criminal Investigative Service. It's
kind of like the Department of Defense's version of the FBI, the Secret Service, and state police from Virginia.
And they locked me up for violating probation and failing drug tests.
They gave me 14 months in prison that time, which was the maximum they were allowed to give me.
They gave me what they called diesel therapy.
They put me in solitary confinement for three weeks in Petersburg.
Then they shipped me from there to USP Atlanta,
which is a maximum security prison in Atlanta, Georgia.
They put me in solitary confinement there for, I want to say it was another three weeks.
And then they sent me from there to a medium-high prison in Williamsburg, South Carolina,
where they put me in solitary again for a couple of weeks before putting me on the actual compound.
I think going back to prison again really did change Tommy.
He didn't like it there. He didn't want to ever come back.
So he spent a long time weighing which was
worth more to him, the high you get from hacking or his freedom. Now, each time he went to court,
he ended up in front of the same judge every time. And that judge's name was Judge Payne.
And Judge Payne said something to him which had a lasting impact? So the last time I was in court on October 28th of 2009, I had Judge Payne for
every time I went to federal court, I had the same judge. And he told me that if he ever sees me in
his courtroom again for a computer crime, he was going to give me life in prison. Yeah, he made it
so I don't want to, I don't want to hack illegally anymore. I got a daughter that would be really mad at me if I went to prison for the rest of my life.
So Tommy gets out of prison and does good on probation.
No violations.
In fact, he does all the time he's supposed to do.
And on November 3rd, 2010, his probation is done.
And he's a free man once again.
It was really nice to know that I could
get on computers again and not
have to worry
that I was going to go to prison or get caught on
or anything. I didn't have to hide them
anymore. I was allowed to get cell phones
and the biggest thing to me was
the fact that I was allowed to go to school
now. While I was on probation that I was allowed to go to school now.
While I was on probation, I wasn't allowed to go to college because you can't go through college without having to use a computer for something, especially when I wanted to go for computer stuff.
And I was allowed to try to find a computer job at that point.
So that was like the biggest difference for me.
He could go to college, use computers, but of course he was not allowed to do any illegal hacking, no matter how tempting it might be. Finding a legit job in the tech industry is
really hard when you have a federal conviction on your record, especially for fraud.
I spent three years from 2010 to 2013 trying to find a computer job period um i kept working as a cook
and doing construction but um i couldn't find any company that would hire me doing computers because
of my um background and everything they automatically think you were stealing money or
identities tommy would sometimes get that itch to be Doggy G,
the Black Hat, and hack into something again.
But he controlled his temptations, no matter how strong they were.
The truth was, he was really good at hacking.
When you're really good at something, you like doing it.
But then he heard about something new,
something that would change his life and start a new chapter for him.
Bug bounties.
There are two main websites that do this, HackerOne and BugCrowd.
Companies will go to these websites and say something like,
Hey, if anyone can find a security issue on our website, we'll give them a reward.
Tommy came across HackerOne and decided to check it out. He saw the website Yahoo
had a bug bounty program and he was already really familiar with the way Yahoo worked. He'd been
poking at it and hacking on it throughout his whole teenage life. So he was kind of flabbergasted
now that Yahoo was willing to pay anyone who could find a security problem in their website.
So he starts hacking around on their site and found something.
I reported my first bug on HackerOne to Yahoo in March of 2016,
and I found that a lot of Yahoo system admins and developers
were using GIST to share information,
and they were forgetting to make them private or delete them after the fact.
So I found a bunch of them that were leaking, like, internal passwords, and they were forgetting to make them private or delete them after the fact.
So I found a bunch of them that were leaking like internal passwords,
database credentials, network maps and stuff like that.
So that was my first bug to Yahoo, reported it to them and they gave me like 300 bucks for it.
As in, Yahoo was thanking Tommy for hacking their site and telling them about a security problem they had.
And we're so happy they gave him $300 for this.
So I was like, oh shit, so maybe this is real.
I made very little money the first couple of months because it was all like really low level things that I was finding.
And then in May of 2016, Image Tragic, Image Magic remote code execution vulnerability was public at that time. The Image Magic bug was a vulnerability where websites let you upload an image, but you could send a malicious image to it.
And then you can get access to the website just by uploading a malicious image. And I actually got remote code execution on two of
Yahoo servers using that and got the first one was a thousand dollar bounty. And then the following
week, I found the same RCE on a different server, reported that and they gave me the full $4,000.
And with that, Doggy G was back.
This time completely legal.
This time wearing a white hat.
Because all this was legit and paid up by Yahoo, the company he hacked.
But because they have a bug bounty program,
it explicitly allows this kind of hack if you're participating in the program and they'll pay you for it. So he was basically given the green light to hack once
again. Doggy G was in somewhat disbelief. Is this even real? But it was. So he sat up straight,
cracked his knuckles and began going to town looking for more bugs that would pay out. So in my first year doing bug bounties in 2016,
I think I only made, let's say,
somewhere between like $30,000 and $50,000 somewhere.
Almost all of it was on HackerOne.
And then in 2017, I ended up making,
I think I set the goal to make $100,000 in 2017 from bug bounties and made somewhere between $150,000 and $200,000 for 2017.
The white hat hacker move was working for him.
But what looked even better, what he really wanted, was a green hat.
Green as in money. In 2018, I think I made, combined across all three platforms, somewhere between $600,000 and $700,000.
For Doggy G, money looked best when it was turned into cars.
Men in Black 2 got him in real trouble, but Fast and Furious truly inspired him.
So the Fast and the Furious movies started coming out, what was it, like 99 or so?
And I fell in love with the Skyline GTRs.
So tell me about what happened to you in January 2018.
In January 2018, I got a $175 bounty on a Friday afternoon on a HackerOne program.
And I was kind of mad about the bounty because it should have been quite a bit more.
But the program paid really bad.
And I put the $175 on a, I bet on basketball, international basketball, a lot.
I put that $175 on there at about 7 o'clock on that Friday night.
And by Monday afternoon, 4 or 5 in the afternoon, I had turned $175 into $133,000.
So I withdrew like $50,000 of it.
And I went and bought my first Skyline.
It was a 1992 R32 GTST.
That was technically my dream car.
It wasn't the GTR model, but it was still a Skyline.
So I was extremely happy.
In 2018, Doggy G kept finding and submitting bugs on HackerOne.
$200 here, $1,000 there, $5,000 there.
He was racking up one bounty after another,
slowly but surely fattening his stack,
earning his green hat,
and then he scored the biggest bounty yet.
Okay, so October 2018,
I set the record for the most,
the highest amount of bounties paid in a single day to a single researcher.
I was playing with an SSRF and I found a bypass for their blacklist that they had used.
And I ended up being able to bypass the blacklist in a total of 15 or 16 different endpoints for SSRF.
I know some of you don't understand what he's saying.
That's okay.
All you need to know is that he found a vulnerability 16 times on a single company's website.
And ended up getting new bugs for all 16 of them.
And each one of them was $10,000.
So it was like October 18th or something like that
of 2018 i was paid 160 000 worth of bounties in that one day
what is that feeling like to get 160 000 in a day's work unreal it was just like it still seems too good to be true
that's my single day highest payout but i've had at least five or six single days where i've made
six figures in one day ask any racer real racer, it don't matter if you
win by an inch or a mile. Winning's winning. It's unreal to know that 10 years ago, right now,
I was sitting in federal prison. So now I'm one of six people on HackerOne that have made a million dollars just on the HackerOne platform.
I'm pretty sure I've made over $800,000 in 2019 just from HackerOne.
I've confirmed all this, by the way.
I've read through his court cases.
I've listened to his mother talk.
And HackerOne themselves has announced that Tommy was the sixth hacker on their site to make one million dollars
and in 2019 he made nine hundred and ten thousand dollars total just missing his goal of one million
dollars in bug bounties in one year what did your parents think when you started uh using hacker one using HackerOne to hack again? At first, they were super leery of it.
My mom finally accepted it after the first year or so
when she saw that I was able to make money
and I was making decent money and not getting in trouble.
My dad still doesn't accept it.
He actually won't talk to me because he thinks that I'm wasting my life and wants me to get a normal nine to five job and everything.
And the last time I actually spoke to him was in February of this year.
And he was disowning me and telling me that I needed to stop wasting my life and get a real job before I lose my life, or something along those lines.
And that's because he thinks this isn't legit work?
Yeah.
I'm hoping that he's seeing it now.
In 2019, I bought cars for my two nieces that are 17 years old.
I bought both of them their first car.
I bought my baby sister, who is about to turn 18.
I bought her her first car.
I bought my one of my I've got a set of twin sisters a year younger than me.
One of them lives in Florida.
I bought her a truck earlier this year.
I bought her twin sister a car and a truck a few months ago.
I bought my mom a Mustang back in October of this year. And I bought myself this year. I bought myself an Infiniti G37.
I'm planning to buy my dad a brand new truck. I'm planning on buying him a truck within the next month or two.
And then just buying it, taking it to his house, putting it in his driveway with the keys and the title.
And just leaving it there and letting him come home from work to find a brand new truck in his driveway for him.
Oh, there's an update here.
I recorded this interview like months ago, but I checked with Tommy just before airing this.
He's slowly getting on talking terms with his dad again.
And when he pitched this idea to him, his dad had another plan.
Remember the car Tommy bought his 18-year-old little sister?
Well, she didn't drive it right and she blew the engine.
So his dad said, instead of buying me a new truck, why don't you buy another new car for your little sister?
So that's what Tommy's planning on doing.
And also at this point,
Doggy G has earned so much money that he's been able to buy two of his dream
cars.
And both of them are the classic Nissan Skylines from Too Fast,
Too Furious.
What are the license plates on your cars?
On my R32 GTS-T, I've got an antique tag on it that says Hacker H4CK3R.
On my 92 R32 GTR, it says Bounty Please.
And then I have on my Infinity G37, I have the license plate Thank You Hacker 1.
Earlier this year, I actually, a couple months ago,
I actually was sent to D.C. by HackerOne,
and I spoke at a little cybersecurity leaders meetup
between the government and military agencies.
So going from a black cat being sent to prison for hacking the government
to actually being invited to speak to government
leaders about my experience hacking them.
This is the weird new future we're living in.
Ten years ago, when Doggy G was hacking, bug bounties didn't exist, and the government
was chasing him.
Now Doggy G is doing the same kind of hacking, but now companies are paying him to do it,
and the government is asking him to come teach them.
Sort of like, if he can't beat them, join them.
Yeah, exactly.
And the good thing, one of the things that I love about the DoD's program so much is that it's their scope.
Tons of companies start up a bug bounty program, and they have an extremely limited scope.
And it's like, we only want information about these and everything.
And as a former black cat, I know that I don't give two shits about a scope if I'm a black
cat.
So yeah, Tommy's now helping the feds secure their networks.
It's weird how it all turned out, isn't it?
And even though the bug bounties are bringing him a great income, he's actually been looking
for a day job lately.
I don't have anybody to talk to that when I make a really cool hack or anything like that, aside from the people online.
I see hacking as kind of an addiction.
I'm just as much addicted to hacking as I ever was addicted to any drug or anything like that.
I'll never stop hacking.
Actually, the only reason I'm
looking for a full-time job is because I miss working with a team. I just want to have a little
bit of structure to my day so that I'm not just like, I sit around bored out of my mind a lot.
And there's only so much Xbox you can play and online games and stuff you can play before even
they get boring. Tommy did in fact recently get a job with one of the biggest banks in the U.S.
doing research on the threats they see there. He applied, interviewed, they liked him,
he passed, got the job, and he had a start date in January. But when they ran a background check
on him, they got worried, and so they decided not to bring him on board. And this was a bummer,
since another reason he wants a day job is to prove to his dad that he's doing good work.
I think he'll be happier then. I'll still be doing my bug bounties and stuff,
but I'll have what he sees in his eye as a real job.
Okay, so if Tommy's story is inspiring to you, you can get started earning money finding bugs too.
And this is what Tommy suggests you do to get started.
Just doing Hacker101.com, which is kind of like Hacker University, where it's capture the flags and stuff,
to show you some real-world examples of things that bug hunters have found to give you like hands-on experience um doing pen tester labs
i always suggest when somebody asks me where to start is reading every blog post you can find
from bug hunters about what they found and everything so it gives you an idea last thing
i asked tommy a former criminal is if he has any advice for the next generation who might be
thinking of trying on that black hat.
It's not worth doing this stuff illegally.
Thanks to Edward Snowden's weeks back in 2013, we know that everything we do online is monitored by the U.S. government.
And anybody that thinks that they can do things illegally and get away with it is mistaken.
Anybody that has been doing things illegally and has gotten away with it, it's only because they haven't wanted to look at you yet.
But they can.
You're not going to hide yourself completely.
Everybody makes mistakes.
And the amount of money that you can make doing this legally far outweighs the money you're going to make illegally.
Because, I mean, if you're good enough to do this as a black hat, you're good enough to do this as a white hat.
And you can make life-changing money doing it.
Just before airing this episode, Tommy attended the H1415 hacking event.
This is a nine-hour hackathon put on by HackerOne in San Francisco. And the goal
is to see how many bug bounties can be claimed within nine hours. A bunch of people showed up.
Tommy went and he was finding bug after bug and reporting them. And within the nine hours given
for the event, he earned $101,000, which gave him the coveted MVH, Most Valuable Hacker.
I get a little jealous listening to this story, because I was one of those people who did
everything right. I've never been arrested for hacking, I never went to prison, I went to
university and got a computer science degree, and then I spent 10 years working as a security engineer. I made nothing close to a million
dollars. Yet here's Tommy breaking all the rules and getting scarred again and again,
failing repeatedly and still coming out, not just okay, but with all the toys.
But I guess it just reminds me of that Fast and Furious quote.
You know, Edwin happens to know a few things.
And one of the things Edwin knows is
it's not how you stand by your car,
it's how you race your car.
You better learn that. A very big thank you to Tommy DeVos, a.k.a. Doggy G.
Great story, but stay out of trouble, okay?
Oh, have you listened to the five bonus episodes of Darknet Diaries yet?
They're out there, but they're only for Patreon supporters.
If this show brings you value, please consider giving to the Darknet Diaries Patreon. You can also get an ad-free version of the show there,
too. This show is made by me, the Tokyo Drifter, Jack Recider. This episode was produced by the
turbocharged Jake Worga. Editing helped this episode by the wind-blown Damien. And our theme
music is by the electric-powered Breakmaster Cylinder.
And even though a Mirai botnet is launched somewhere in the world every time I say it,
this is Darknet Diaries..