According to the U.S. Attorney’s Office, Devagiri, 30, manipulated DoorDash’s logistics by exploiting both customer and employee accounts. He, along with three other co-conspirators, used fake high-value orders on real customer accounts. These orders were manually reassigned to driver accounts under their control using credentials stolen from a DoorDash employee.
Once the orders were rerouted, the system was manipulated to falsely show them as “delivered,” triggering automatic payments to the fake drivers. Devagiri then reclassified the same orders back to “in process,” reassigning them again and again, cycling millions in false payouts.
The Digital Loophole: Exploiting a System Built on Trust
The fraud was enabled by unauthorized access to DoorDash’s backend system—a vulnerability that allowed manual order manipulation without triggering alerts. Officials said Devagiri’s misuse of the system created a feedback loop of nonexistent deliveries. This included changing delivery statuses repeatedly, siphoning funds meant for genuine deliveries.
Such manipulation not only caused financial loss but raised serious questions about the platform’s internal controls and access management practices. The case demonstrates how insider access—even by former employees—can be weaponized when security protocols are lacking.
Legal Consequences and Wider Implications
Devagiri pleaded guilty to one count of conspiracy to commit wire fraud and is the third person to be convicted in connection to this case. He now faces up to 20 years in prison and a $250,000 fine. His sentencing is scheduled for September 16.
Federal prosecutors highlighted that similar cases are under review, and companies relying on gig economy models must reassess their backend infrastructure to prevent internal exploitation. The case also underscores the importance of timely detection mechanisms and limiting credential privileges within tech platforms.