DoorDash Hack

A DoorDash driver stole over $2.5 million over several months:

The driver, Sayee Chaitainya Reddy Devagiri, placed expensive orders from a fraudulent customer account in the DoorDash app. Then, using DoorDash employee credentials, he manually assigned the orders to driver accounts he and the others involved had created. Devagiri would then mark the undelivered orders as complete and prompt DoorDash’s system to pay the driver accounts. Then he’d switch those same orders back to “in process” and do it all over again. Doing this “took less than five minutes, and was repeated hundreds of times for many of the orders,” writes the US Attorney’s Office.

Interesting flaw in the software design. He probably would have gotten away with it if he’d kept the numbers small. It’s only when the amount missing is too big to ignore that the investigations start.

Tags: , ,

Posted on May 20, 2025 at 7:05 AM3 Comments

Comments

Online Shopping May 20, 2025 9:31 AM

It’s a flaw exploited by unscrupulous people in online shopping platforms.
An order is not delivered but marked as complete so the person gets paid. When the customer complains, the order is marked as ‘in process’ and the cycle repeats.
The online platforms tend to not support the customer getting a refund.

Clive Robinson May 20, 2025 11:06 AM

@ Bruce, ALL,

With regards, the apparently greedy way the accused behaved…

Any criminal should know that if you do the same thing over and over it’s called an “MO”… And further as with “traffic analysis” the time you do something in effect betrays you as a correlation builds up.

And that’s before “wagging lips” get you betrayed –in the UK something over 8/10 of convictions happen– because people “flap their gums” or these days post “I’m Flash Photos” on their social media accounts…

So the old maxim of,

“Get in quick, get out faster.”

Still very much applies, or as others put it,

“Get a taste, but don’t get greedy and expect a full meal.”

Thus you have two basic ends of a line,

1, Low and slow.
2, High and fast.

The trick with cyber crime used to be,

“Go low and slow and move on”

That is the authorities are resource bound so they did not investigate crimes below a certain value. So a smart crook would hit a few people in one jurisdiction then move onto the next jurisdiction.

Alternatively the successful crooks would,

“Go high and fast, and move on after each job.”

In effect changing their MO each time to limit the authorities correlating their actions.

My father pointed out to me when I was quite young,

“If you have the skills to commit the perfect crime, you have the brains to earn more money honestly.”

He also pointed out that if you involved others they had incentive to betray you due to “Turning States Evidence” thus,

“You would need considerably more against them, than they had against you.”

Yes you can make crime pay, we see it all the time, with “White Collar Crime” hiding behind “Corporate structures”. And the reason they get away with it is they pay legislators to ensure their actions do not become crimes…

Something I think some voters are finally realising…

Hmmm... May 20, 2025 6:04 PM

Is “Sayee Chaitainya Reddy Devagiri” a rich white middle-aged Republican?

Is he going to be doing time in El Salvador? Or an American prison?

Morality aside, there’s a cost-vs-benefit tradeoff here. If you’re going to be deported by ICE, or jailed in El Salvador, and you can steal millions from your employer, why not do it? Why not steal? How much do you really have to lose? If he had gotten out in time, self-deported before being arrested, well there’s no shortage of countries where he could have lived like a king for the rest of his life on a few million dollars, and bribed anyone necessary regarding admission, citizenship, etc.

It’s something to think about… Real world security is, by and large, awful. Everything from the locks on our homes on up. We stay mostly safe because most people are better off following the law than not. But what happens when so much of our population has nothing to lose?

As @Clive’s father said: ““If you have the skills to commit the perfect crime, you have the brains to earn more money honestly”

But what happens when you don’t have the opportunity to earn money honestly? When you are facing death, torture, or worse? What do you have to lose?

As I watch what’s going on in the world these days, it’s something to think about…

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.