Data Leaks at DEFCON 33

We spent 24 hours at DEFCON 33, the world's largest hacker conference which takes place every year in Las Vegas in August. If you want to test your privacy game, this is the place to do it. You're surrounded by thousands of hackers, tinkerers, law enforcement, and security researchers from the most targeted organizations in the world. It’s part of the culture to hack the network, crack devices, or social engineer other attendees. And with 1.4 million square feet in the LV convention center’s west hall, there’s plenty of space to do it. What is scarce, is time (and for some, deodorant.)

We explored the main entrance Friday night, stumbled onto a karaoke party, and caught Hacker Jeopardy on Level 1. Saturday we stopped by Hall 2 for crypto village and an AI security presentation but most of our day in Social Engineering village on L3.

Before we paint too dark a picture, DEFCON is a stress test but it’s also incredibly fun. Conference guides, called Goons, are dressed up and wearing their hacker handles as name tags. They help you find interesting events or meet others looking for friends at the con. There’s food and drinks for your physical survival. And for your digital survival, there’s a dedicated/secured Wi‑Fi network run by the con. Organizers want to create a safe and welcoming space and encourage almost* anyone wanting to explore hacking or security to attend: whether that’s for the first time or pushing the limit. There’s even a DEFCON for kids area.

*Most people are there for good clean hacker fun. But we heard that Jeremy Hammond was kicked out this year due to shouting protests during a military presentation. And there is a ban list published on DEFCON’s transparency report.

One of the best ways to make friends at DEFCON is to bring a set of stickers you can gift, swap, or stick to any designated surface. Our little Kanary bird stickers were a hit, especially once we started adding googly eyes.

But stickers and maps aside, our goal was to understand the latest hacks causing personal data leaks. And share what works for protecting your information, even among top hackers. Here are the top hacks we saw at DEFCON. We’ll break down what we saw and ways to protect yourself below:

1. Voice Phishing (Social Engineering)

2. Credential Leaks (Packet Hacking)

3. Account Takeovers (Scammers and Crypto Hacks)

Voice Phishing (Social Engineering)

The Social Engineering Village hosted Battle of the Bots, judged by Rachel Tobac, JC, and Snow. Teams trained AI agents to voice-phish real customer support representatives at actual companies: a dollar store, a refrigeration company, and other retailers, live on stage.

The line to get into the session was an hour long. The room was packed. The energy was electric. Most of the teams used a text to voice generator like ElevenLabs, had a microphone recording the target's responses in real-time, then transcribing those to text. That transcription fed into an LLM with instructions about what information to extract. The LLM would respond, and AI voice system would translate that to the call. The goal? Get the customer support rep to visit a phishing link or divulge security training information.

One team succeeded and won the top prize. Their bot posed as IT running a routine system check that needed to be completed before the end of the weekend. The customer support rep visited the link. When a bot made mistakes, like explaining what a phone was to a confused target, everyone laughed. When AI succeeded to be more convincing on the phone, people cheered. We watched this for over an hour, mesmerized and unsettled.

Above is a hypothetical system architecture. Teams hit snags when their AIs were not able to respond fast enough to the human support agent. Those delays made support hang up or get suspicious. Conference Wi‑Fi was to blame, but these AI systems can also be slow. One team made their AI voice sound a bit staticky/unstable, which helped explain the delays. The best systems relied on multiple LLMs parallel processing the conversation to manage various states, and a conductor to control the conversation flow.

How This Impacts You

That "Amazon fraud department" call you got last week? That "IRS agent" who knew your address? Increasingly, these aren't humans. They're LLMs using voice generation platforms to speak perfect English, even tell jokes, and target you personally or the company you work for.

The bots in this competition were focused on collecting company information and all they had to do was call. They succeeded with just a basic pretext. Imagine how much more effective these attacks become when the AI can reference your job title, your company's systems, or other specific details pulled from LinkedIn and data broker sites. Information that's readily available to LLMs who get better at scraping the web every day. Even the FBI put out a warning about AI Voice Cloning.

What You Can Do

If someone calls claiming to be from IT, customer service, or any authority figure, hang up and call or message back using a channel you trust and can verify. Don't trust caller ID. It can be spoofed. Don't trust that they know details about you. That information is likely public.

Knowing what the internet knows about you can also help you stay safe. If you know your address is public in a property record, you can prepare yourself to not be surprised when a stranger may know it. And if there is sensitive information you want kept private like your phone number, that’s where you’ll want to remove it from sites like Whitepages.

2. Credential Leaks (Packet Hacking & Tracing)

At the Packet Hacking Village, we visited the Wall of Sheep. We only had 30 minutes here, but saw enough to understand why data leaks are so common. IP addresses and credentials flashed across a wall-high screen. Real usernames. Real passwords. Each from someone at the conference who had used an unsecured network or website.

Username: john.smith Password: abd

The hackers at the village were using the latest techniques to pull the packets, post the identifiers (partially redacted to avoid complete doxxing) and hoped to shame people into better security practices. We were surprised that people at DEFCON were unaware enough to do this. But even here, people were slipping up and joining the wrong network or logging into site they shouldn't. The teams running the wall were honest that these attacks aren’t easy because most sites now use HTTPS, not HTTP. But they still do happen.

On the same wall, the Packet Hacking Village displayed a 3D map of the convention center with thousands of dots representing devices connected to the Wi‑Fi. Accurate enough to pinpoint someone on the floor map. You could watch the dots move through different villages in real-time. Mass surveillance with zero consent.

How This Impacts You

While unencrypted connections are rare these days, they still exist and cause data leaks. And the Bluetooth and Wi‑Fi on your phone could be broadcasting your location without you realizing it. The Wall of Sheep exists to visualize that your data might not be as private as you think. While it doesn’t always make sense to carry a burner device or keep your Bluetooth off. It’s a good reminder that by default, your Bluetooth should be set to contacts only and your VPN should be enabled.

What You Can Do

VPNs are an easy way to keep your IP address and location private, you can access several trusted VPNs for free like Mullvad or Proton, even Apple will automatically mask your traffic if you have iCloud plus. Make sure every site you log into uses HTTPS (look for the lock icon). Use unique passwords for every account so that if one gets compromised, the others remain safe. Consider using a password manager to make this manageable.

At DEFCON, we paid cash, used burner phones and emails, and left our primary devices at the hotel. You don't need to go that far for everyday life, but the principle applies: the less you expose, the less can be captured.

3. Account Takeovers (Scammers and Crypto Hacks)

We attended "Anatomy of a Crypto Scam" with Kit Boga (famous scambaiter) and Nick Percoco, CSO of Kraken. They broke down exactly how crypto scammers operate and revealed a staggering number: $9 billion in cryptocurrency was stolen in 2024.

Scammers target victims using three key data points: breach lists, age, and wealth indicators. They're looking for people who have money and might be vulnerable. Often older individuals who can be convinced to move their retirement savings into crypto with promises of high returns, or existing crypto holders identified through data breaches.

Kit showed how he fights back. He runs hundreds of AI bots that answer scam calls and engage with fake investment sites, wasting scammers' time. His bots can keep scammers on the line for hours, preventing them from targeting real victims during that time. He's also building Seraph Secure, a tool that blocks the remote access software scammers use, blocks thousands of known scam websites, and detects fake virus pop-ups in real-time.

But here's what stuck with us: scammers use publicly available data to choose their targets. They know your age from data brokers and social media. They estimate your wealth from property records, Zillow, vehicle registrations. They find your phone number and email from people-search sites. They research your family members, your job history, your interests.

How This Impacts You

You don't need to have crypto for this to matter. These same targeting techniques work for any scam: romance scams, tech support scams, fake IRS calls, Medicare fraud.

Scammers are building profiles of potential victims using publicly available information and a knowledge of human psychology. Financially stressed individuals might go searching on Google for investment opportunities or fall for a malicious Facebook advertisement. A romance scam that references hobbies common among older, single women lures the right targets in.

What You Can Do

Reduce your attack surface and talk to your loved ones who may be more vulnerable, especially about the dangers of crypto. Remove your information from data broker sites and know what is public about you. Lock down your social media. Don't post about expensive purchases, vacations, or financial situations.

If you do want to write publicly about crypto or investing, consider creating a pseudonym and using burner accounts. This will help you protect your accounts from being hacked through brute force or through social engineering.

Kit's Seraph Secure blocks scams when they try to execute. Kanary removes the data that makes you a target. When scammers are choosing between someone with a complete public profile and someone who's a ghost online, they'll pick the easier mark every time.

Back To Reality

DEFCON reminded us that privacy isn't about locking yourself away or never being online. It's about knowing when to play offense and when to play defense to protect yourself.

At DEFCON we were on defense. Burner devices, cash transactions, hacker handles on badges, messaging new friends on Signal. These aren't paranoid moves, they're appropriate responses to an environment where you're surrounded by people testing security boundaries.

But in everyday life, it's different. We need to be present online for work, for staying connected, for building things. The trick is knowing what information actually needs to be public and what doesn't. And understanding your public presence as it evolves. With new accounts, breaches, and connections, you can’t be in total control all of the time but you can be aware.

We built Kanary because privacy protection shouldn't require attendance at hacker conferences. It should be accessible and effective, whether you're a high-profile target or just someone who wants to stop being targeted by scammers.

Ready to protect yourself with one tap? Download Kanary for free.