| Status | Active |
|---|---|
| Genre | Security Conference, Hacker Conference |
| Frequency | Annual |
| Venue | Varies |
| Locations | Las Vegas,Nevada |
| Country | United States |
| Years active | 32 |
| Inaugurated | June 9, 1993 (1993-06-09)[1] |
| Founder | Jeff Moss |
| Previous event | August 7–10, 2025 |
| Attendance | Over 30,000 |
| Website |
|
| Part of a series on |
| Computer hacking |
|---|
 |
|
DEF CON (also written asDEFCON, Defcon, orDC) is ahacker convention held annually inLas Vegas,Nevada. The first DEF CON took place in June 1993 and today many attendees at DEF CON includecomputer security professionals,journalists, lawyers, federal government employees, security researchers, students, andhackers with a general interest insoftware,computer architecture, hardware modification, conference badges, and anything else that can be "hacked". The event consists of several tracks of speakers about computer and hacking-related subjects, as well as cyber-security challenges and competitions (known as hackingwargames). Contests held during the event are extremely varied and can range from creating the longestWi-Fi connection to finding the most effective way to cool a beer in theNevada heat.[3]
Other contests, past and present, includelockpicking,robotics-related contests, art, slogan, coffee wars,scavenger hunt, andCapture the Flag. Capture the Flag (CTF) is perhaps the best known of these contests and is a hacking competition in which teams of hackers attempt to attack and defend computers and networks using software and network structures. CTF has been emulated at other hacking conferences as well as in academic and military contexts (asred team exercises).
Federal law enforcement agents from theFBI,DoD,United States Postal Inspection Service,DHS (viaCISA) and other agencies regularly attend DEF CON.[4][5] Some have considered DEF CON to be the "world's largest" hacker conference given its attendee size and the number of other conferences modeling themselves after it.
DEF CON was founded in 1993, by then 18-year-oldJeff Moss as a farewell party for his friend, a fellow hacker and member of "Platinum Net", aFidoNet protocol based hacking network fromCanada.[6] The party was planned for Las Vegas a few days before his friend was to leave the United States, because his father had accepted employment out of the country. However, his friend's father left early, taking his friend along, so Jeff was left alone with the entire party planned. Jeff decided to invite all his hacker friends to go to Las Vegas with him and have the party with them instead. Hacker friends from far and wide got together and laid the foundation for DEF CON, with roughly 100 people in attendance.
The term DEF CON comes from the movieWarGames, referencing theU.S. Armed Forces defense readiness condition (DEF CON). In the movie, Las Vegas was selected as a nuclear target, and since the event was being hosted in Las Vegas, it occurred to Jeff Moss to name the convention DEF CON. However, to a lesser extent, CON also stands for convention and DEF is taken from the letters on the number 3 on atelephone keypad, a reference tophreakers.[7] The official name of the conference includes a space in between DEF and CON.
Though intended to be a one-time event, Moss received overwhelmingly positive feedback from attendees, and decided to host the event for a second year at their urging. The event's attendance nearly doubled the second year, and has enjoyed continued success.[8] In 2019, an estimated 30,000 people attended DEF CON 27.[9]
For DEF CON's 20th Anniversary, a film was commissioned entitledDEF CON: The Documentary.[10] The film follows the four days of the conference, events and people (attendees and staff), and covers history and philosophy behind DEF CON's success and unique experiences.
In January 2018, the DEF CON China Beta event was announced. The conference was held May 11–13, 2018 in Beijing, and marked DEF CON's first conference outside the United States. The second annual DEF CON China was canceled due to concerns related toCOVID-19.[11]
In 2020, due to safety concerns overCOVID-19 the DEF CON 28 in-person Las Vegas event was cancelled[12] and replaced with DEF CON Safe Mode,[13] a virtual event planned for the same August 6–9 dates as DC 28.
In 2021, DEF CON 29 was held on August 5–8 in-person in Las Vegas and virtually (viaTwitch andDiscord). In-person attendees were required to wear masks in conference areas and to show proof of COVID-19 vaccination. Attendees with verified vaccine records (verified by a 3rd party) were given a wristband which was required for entry into the conference areas.[14]
Attendees at DEF CON and other Hacker conferences often utilize an alias or "handle" at conferences. This is in keeping with the hacker community's desire for anonymity. Some known handles include DEF CON founderJeff Moss' handle of "Dark Tangent". A notable event at DEF CON is DEF CON 101 which starts off the conference and may offer the opportunity for an individual to come up on stage and be assigned a handle by a number of members of the community.
A notable part of DEF CON is the conference badge, which identifies attendees and ensures attendees can access conference events and activities. The DEF CON badge has historically been notable because of its changing nature, sometimes being an electronic badge (PCB), withLEDs, or sometimes being a non-electronic badge such as avinyl record. Conference badges often contain challenges or callbacks to hacker or other technology history, such as the usage of theKonami Code in the DEF CON 24 badge, or the DEF CON 25 badge reverting to the look of the DEF CON 1 badge. DEF CON Badges do not (generally) identify attendees by name; however, the badges are used to differentiate attendees from others. One way of doing this has been to have different badges, a general conference attendee (HUMAN) badge, a Staff member (GOON), Vendor, Speaker, Press, and other badges. In addition, individuals and organizations have begun creating their own badges in what has become known as badgelife. These badges may be purchased in many cases, or earned at the conference by completing challenges or events. Some badges may give the holder access to after hours events at the conference. In 2018, the evolution of this came with what was termed "shitty addon's" or SAOs. These were miniature (usually) PCBs that connected to the official and other badges that may extend functionality or were just collected.[15][16]
Villages are dedicated spaces arranged around a specific topic. Villages may be considered mini conferences within the con, with many holding their own independent talks as well as hands-on activities such as CTFs, or labs. Some villages include Aerospace Village, Car Hacking Village, IoT Village, Recon,Biohacking,lockpicking,ham radio, and the well knownSocial Engineering and vote hacking villages. In 2018 the vote hacking village gained media attention due to concerns about US election systems security vulnerabilities.[17][18]
DEF CON has its own cultural underground which results in individuals wanting to create their own meetups or "cons" within DEF CON. These may be actual formal meetups or may be informal. Well known cons are:
Workshops are dedicated classes on various topics related toinformation security and related topics. Historical workshops have been held on topics such as Digital Forensics investigation, hackingIoT devices, playing withRFID, fuzzing and attacking smart devices.
Since DEF CON 11, fundraisers have been conducted for theElectronic Frontier Foundation (EFF). The first fundraiser was adunk tank and was an "official" event. The EFF now has an event named "The Summit" hosted by the Vegas 2.0 crew that is an open event and fundraiser. DEF CON 18 (2010) hosted a new fundraiser called MohawkCon.
Within DEF CON there are many contests and events which range from, Capture the Flag, Hacker Jeopardy,[19] Scavenger Hunt,[20] Capture the Packet, Crash and Compile,[21] and Hackfortress[22] to name a few.
The Black Badge is the highest award DEF CON gives to contest winners of certain events.Capture the flag (CTF) winners sometimes earn these, as well as Hacker Jeopardy winners. The contests that are awarded Black Badges vary from year to year, and a Black Badge allows free entrance to DEF CON for life, potentially a value of thousands of dollars.[23]
In April 2017, a DEF CON Black Badge was featured in an exhibit[24] in theSmithsonian Institution'sNational Museum of American History entitled "Innovations in Defense: Artificial Intelligence and the Challenge of Cybersecurity". The badge belongs to ForAllSecure's Mayhem Cyber Reasoning System,[25] the winner of theDARPA2016 Cyber Grand Challenge at DEF CON 24 and the first non-human entity ever to earn a Black Badge.
The first instance of the DEF CON CTF was held in 1996, at the 4th DEF CON, and has been held since then every year.[26] It's one of the few CTF in the attack/defense format. The prize of the winning team is a couple of black badges.[27]
| Year | DEF CON | Competing Teams | Organizers | Architecture | Platform | Winning team |
|---|---|---|---|---|---|---|
| 1996 | 4 | Goons | AJ Reznor | |||
| 1997 | 5 | Goons | AJ Reznor | |||
| 1998 | 6 | Goons | SNI | |||
| 1999 | 7 | Goons | Ghetto Hackers | |||
| 2000 | 8 | Goons | Ghetto Hackers | |||
| 2001 | 9 | Goons | Multiple | Ghetto Hackers & digirev | ||
| 2002 | 10 | Ghetto Hackers | Redhat 6.2 | Digital Revelation | ||
| 2003 | 11 | 8 | Ghetto Hackers | OpenBSD | Anomaly | |
| 2004 | 12 | 8 | Ghetto Hackers | i386 | Windows | sk3wl0fr00t |
| 2005 | 13 | 8 | Kenshoto | i386 | FreeBSD 5.4 | shellphish |
| 2006 | 14 | 8 | Kenshoto | i386 | Solaris 10 | 1@stplace |
| 2007 | 15 | 8 | Kenshoto | i386 | FreeBSD | 1@stplace |
| 2008 | 16 | 8 | Kenshoto | i386 | FreeBSD | Sk3wl of Root |
| 2009 | 17 | 9 | DDTEK | i386 | FreeBSD | VedaGodz[29] |
| 2010 | 18 | 12 | DDTEK | i386 | FreeBSD & Debian | ACME Pharm[30] |
| 2011 | 19 | 12 | DDTEK | i386 | FreeBSD | European Nopsleders[31] |
| 2012 | 20 | 20 | DDTEK | i386 | FreeBSD | Samurai |
| 2013 | 21 | 20 | Legitimate Business Syndicate | armv7 | Linux | Plaid Parliament of Pwning |
| 2014 | 22 | 20 | Legitimate Business Syndicate | armv7 & i386 | Linux | Plaid Parliament of Pwning |
| 2015 | 23 | 15 | Legitimate Business Syndicate | MIPS, x86 & armv7 | Linux | DEFKOR |
| 2016 | 24 | 15 | Legitimate Business Syndicate | i386 | DECREE | Plaid Parliament of Pwning |
| 2017 | 25 | 15 | Legitimate Business Syndicate | cLEMENCy | cLEMENCy | Plaid Parliament of Pwning |
| 2018 | 26 | 24 | Order Of the Overflow | MIPS, x86 & armv7 | Linux | DEFKOR00T[32] |
| 2019 | 27 | 16 | Order Of the Overflow | x86, arm64, esoteric | Linux, iOS, Xbox | Plaid Parliament of Pwning[33] |
| 2020 | 28 | 16 | Order Of the Overflow | x86, esoteric | Linux | A*0*E[34] |
| 2021 | 29 | 16 | Order Of the Overflow | x86, microengine | Linux | Katzebin[35] |
| 2022 | 30 | 16 | Nautilus Institute | mixed | Maple Mallard Magistrates[36] | |
| 2023 | 31 | 12 | Nautilus Institute | mixed | Maple Mallard Magistrates[37] | |
| 2024 | 32 | 12 | Nautilus Institute | mixed | Maple Mallard Magistrates[38] |
In 1996, the first DEF CON CTF was organized, with a couple ofservers for participants to hack, and judges to decide if a machine has been hacked, and award points accordingly.[39]
In 2002, the companyImmunix took part in the game under the moniker "immunex",[40] to benchmark the security of their Linux-based operating system, with modifications includingStackGuard,FormatGuard,OpenWall'snon-executable stack, SubDomain (the ancestor ofAppArmor), ...[41] Confident in their defense capabilities, they even opened access to their servers to other teams, and even spent some time taunting them. The team got the second place, and all their services deployed on their Immunix stack were never compromised.[42] It was also the first year the contest had an organiser-provided services infrastructure connected to a real-time scoreboard.[43]
In 2003, the game had become so popular that a qualification round was introduced, with the previous winner automatically qualified.[44]
In 2008, the Sk3wl of Root team took advantage of abug in the game (privilege dropping andforking were inverted), allowing them to have such a massive lead that they spent most of the CTF playingGuitar Hero.[45][46]
In 2009, it was announced[47] that "Diutinus Defense Technology Corp" (DDTEK) would be the new organisers, but nobody knew who they were. It was revealed at the end of the game that the team playing as sk3wl0fr00t was the organizer.[27] "Hacking the top hacker contest seemed like a fun way to introduce ourselves to CTF organization. The yells of "bullshit" from CTF teams during the DEF CON 17 awards ceremony were very gratifying." said vulc@n, a member of DDTEK, on the topic.[27]
In 2011, the team "lollerskaters dropping from roflcopters" used a0day inFreeBSD (namely CVE-2011-4062[48]) to escapejails, causing havoc in the game's infrastructure.[49]
In 2016, the 15th edition of the CTF was done in partnership with theDARPA, as part of itsCyber Grand Challenge program, where teams wrote autonomous systems to play the game without any human interaction.[50]
In 2017, the Legitimate Business Syndicate came up with their very own CPU architecture called cLEMENCy: amiddle-endian with 9 bits bytesCPU. With its specifications released only 24 hours before the beginning of the CTF, it was designed with the explicit goals of both surprising the teams, and leveling the playing field by breaking all their tools.[51]
DEF CON Groups are worldwide, local chapters of hackers, thinkers, makers and others. DEF CON Groups were started as a splinter off of the2600 meetup groups because of concerns over politicization. Local DEF CON groups are formed and are posted online.[52] DEF CON Groups are usually identified by the area code of the area where they are located in the US, and by other numbers when outside of the US e.g., DC801, DC201. DEF CON Groups may seek permission to make a logo that includes the official DEF CON logo with approval.
Following are a list of high-profile issues which have garnered significant media attention.
| Year | Description |
|---|---|
| 1999 | On July 10, 1999, theCult of the Dead Cow hacker collective releasedBack Orifice 2000 (later discovered to be infected with the CIH virus) at DEF CON 7,[53] in what was, at the time, the largest presentation in DEF CON history. |
| 2001 | On July 16, 2001, Russian programmerDmitry Sklyarov was arrested the day after DEF CON for writing software to decryptAdobe'se-book format.[54] |
| 2005 | On July 31, 2005,Cisco used legal threats to suppress Mike Lynn from presenting at DEF CON about flaws he had found in theCisco IOS used on routers.[55] |
| 2007 | In August 2007, Michelle Madigan, a reporter forDateline NBC, attempted to secretly record hackers admitting to crimes at the convention. After being outed by DEF CON founder Jeff Moss during an assembly, she was heckled and chased out of the convention by attendees for her use of covert audio and video recording equipment. DEF CON staff tried to get Madigan to obtain a press pass before the outing happened.[56] A DEF CON source at NBC had tipped off organizers to Madigan's plans.[4] |
| 2008 | MIT students Zack Anderson, R.J. Ryan and Alessandro Chiesa were to present a session entitled "The Anatomy of a Subway Hack: Breaking Crypto RFIDS and Magstripes of Ticketing Systems." The presentation description included the phrase "Want free subway rides for life?" and promised to focus on the Boston T subway.[57] However, the Massachusetts Bay Transit Authority (MBTA) sued the students and MIT in United States District Court in Massachusetts on August 8, 2008, claiming that the students violated theComputer Fraud and Abuse Act (CFAA) by delivering information to conference attendees that could be used to defraud the MBTA of transit fares.[58][59] The court issued a temporary restraining order prohibiting the students from disclosing the material for a period of ten days, despite the fact the material had already been disseminated to DEF CON attendees at the start of the show. In 2008's contest "Race to Zero," contestants submitted a version of given malware which was required to be undetectable by all of the antivirus engines in each round. The contest concept attracted much negative attention.[60][61] |
| 2009 | WIRED[62] reported that anATM kiosk was positioned in the conference center of theRiviera Hotel Casino capturing data from an unknown number of hackers attending the DEF CON hacker conference. |
| 2011 | Security companyHBGary Federal used legal threats to prevent former CEO Aaron Barr from attending a panel discussion at the conference.[63] |
| 2012 | The director of theNational Security Agency,Keith B. Alexander, gave the keynote speech.[64] During the question and answers session, the first question for Alexander,[64] fielded byJeff Moss,[65] was "Does theNSA really keep a file on everyone, and if so, how can I see mine?" Alexander replied "Our job is foreign intelligence" and that "Those who would want to weave the story that we have millions or hundreds of millions of dossiers on people, is absolutely false…From my perspective, this is absolute nonsense."[64] On March 12, 2013, during aUnited States SenateSelect Committee on Intelligence hearing, SenatorRon Wyden quoted the 2012 DEF CON keynote speech and askedDirector of National IntelligenceJames Clapper if the U.S. conducted domestic surveillance; Clapper made statements saying that there was no intentional domestic surveillance.[64] In June 2013, NSA surveillance programs which collected data on US citizens, such asPRISM, had been exposed.Andy Greenberg ofForbes said that NSA officials, including Alexander, in the years 2012 and 2013 "publicly denied–often with carefully hedged words–participating in the kind of snooping on Americans that has since become nearly undeniable."[64] |
| 2013 | On July 11, 2013,Jeff Moss posted a statement,[66] located on the DEF CON blog, titled "Feds, We Need Some Time Apart". It stated that "I think it would be best for everyone involved if the feds call a 'time-out' and not attend DEF CON this year."[67] This was the first time in the organization's history that it had asked federal authorities not to attend.[66] ActorWill Smith visited the convention to study the DEF CON culture for an upcoming movie role.[68] |
| 2016 | On August 4, 2016, DEF CON andDARPA co-hosted the2016 Cyber Grand Challenge, a first-of-its-kind all-machine hacking tournament. Competing teams had to create a bot capable of handling all aspects of offense and defense with complete autonomy. Seven finalists competed for a US$2M grand prize.[69] The winner of the Cyber Grand Challenge was "Mayhem", an AI created by ForAllSecure of Pittsburgh, Pennsylvania.[69][70] Mayhem then went on to participate in the previously humans-only DEF CON Capture the Flag Contest,[71] where it finished in last place, despite pulling ahead of human teams often in a contest for which it was not specifically designed. |
| 2017 | At the "Voting Machine Village" event, dozens ofvoting machines brought to the conference were breached.[72] In September 2017, the Voting Machine Village produced "DEF CON 25 Voting Machine Hacking Village: Report on Cyber Vulnerabilities in US Election Equipment, Databases and Infrastructure" summarizing its findings. The findings were publicly released at an event sponsored by theAtlantic Council[73] and the paper went on to win anO'Reilly Defender Research Award.[74] Marcus Hutchins, better known online by his handleMalwareTech, the 23-year-old British security researcher who was credited with stopping theWannaCry outbreak was arrested by the FBI at the airport preparing to leave the country after attending DEF CON over his alleged involvement with theKronos banking trojan.[75] |
| 2018 | In March 2018, the DEF CON Voting Machine Hacking Village was awarded a Cybersecurity Excellence Award.[76] The award cites both the spurring of a national dialog around securing the US election system and the release of the nation's first cybersecurity election plan. |
| 2020 | On May 8, 2020, the DEF CON in-person conference itself was cancelled[77] and virtualized due toCOVID-19. DEF CON Safe Mode[78] was held August 6–9 online with a full roster of talks, villages, contests and events. |
| 2024 | On February 4, 2024, Caesar's Entertainment cancelled the contract with DEF CON without warning[79] with speculation that aransomware attack[80] and bomb scare and subsequent evacuation[81] in 2023 were in part to blame. The conference was moved to theLas Vegas Convention Center as a result. |
Each conference venue and date has been extracted from the DEF CON archives for easy reference.[83]
| Conference Name | Venue | Duration | Year | Attendance |
|---|---|---|---|---|
| DEF CON 33 | Las Vegas Convention Center | August 7–10 | 2025 | ~26,000[84] |
| DEF CON 32 | Las Vegas Convention Center, andThe Sahara[85] | August 8–11 | 2024 | N/A |
| DEF CON 31 | Caesars Forum,Flamingo,Harrah's Hotel, andLinq Hotel | August 10–13 | 2023 | ~25,000[citation needed] |
| DEF CON 30 | Caesars Forum,Flamingo,Harrah's Hotel, andLinq Hotel | August 11–14 | 2022 | ~25,000[citation needed] |
| DEF CON 29 | Paris Hotel andBally's Hotel | August 5–8 | 2021 | ~8,700[citation needed] |
| DEF CON Safe Mode | Virtual event | August 6–9 | 2020 | N/A |
| DEF CON 28 | PlannedCaesars Forum,Harrah's,The Linq, andFlamingo | August 6–9 | 2020 | 0[86] |
| DEF CON 27 | Paris Hotel,Bally's Hotel,Planet Hollywood, andFlamingo | August 8–11 | 2019 | ~30,000[9] |
| DEF CON China 1.0 | 751 D-Park | May 31–June 2 | 2019 | Unknown |
| DEF CON 26 | Caesars Palace andFlamingo | August 9–12 | 2018 | 28,000[87] |
| DEF CON China [Beta] | Kuntai Hotel (Beijing) | May 11–13 | 2018 | Unknown |
| DEF CON 25 | Caesars Palace | July 27–30 | 2017 | 25,000[88] |
| DEF CON 24 | Paris Hotel andBally's Hotel | August 4–7 | 2016 | 22,000[89] |
| DEF CON 23 | Paris Hotel andBally's Hotel | August 6–9 | 2015 | 16,000+[90] |
| DEF CON 22 | Rio Hotel & Casino | August 7–10 | 2014 | 16,000[91] |
| DEF CON 21 | Rio Hotel & Casino | August 1–4 | 2013 | 12,000[91] |
| DEF CON 20 | Rio Hotel & Casino | July 26–29 | 2012 | Unknown |
| DEF CON 19 | Rio Hotel & Casino | August 4–7 | 2011 | Unknown |
| DEF CON 18 | Riviera Hotel & Casino | July 30–August 1 | 2010 | Unknown |
| DEF CON 17 | Riviera Hotel & Casino | July 30–August 2 | 2009 | Unknown |
| DEF CON 16 | Riviera Hotel & Casino | August 8–10 | 2008 | 8,000[92] |
| DEF CON 15 | Riviera Hotel & Casino | August 3–5 | 2007 | Unknown |
| DEF CON 14 | Riviera Hotel & Casino | August 4–6 | 2006 | Unknown |
| DEF CON 13 | Alexis Park Resort | July 29–31 | 2005 | Unknown |
| DEF CON 12 | Alexis Park Resort | July 30–August 1 | 2004 | Unknown |
| DEF CON 11 | Alexis Park Resort | August 1–3 | 2003 | Unknown |
| DEF CON 10 | Alexis Park Resort | August 2–4 | 2002 | Unknown |
| DEF CON 9 | Alexis Park Resort | July 13–15 | 2001 | Unknown |
| DEF CON 8 | Alexis Park Resort | July 28–30 | 2000 | Unknown |
| DEF CON 7 | Alexis Park Resort | July 9–11 | 1999 | Unknown |
| DEF CON 6 | Plaza Hotel & Casino | July 31–August 2 | 1998 | Unknown |
| DEF CON 5 | Aladdin Hotel & Casino | July 11–13 | 1997 | Unknown |
| DEF CON 4 | Monte Carlo Resort and Casino | July 26–28 | 1996 | Unknown |
| DEF CON 3 | Tropicana Resort & Casino | August 4–6 | 1995 | Unknown |
| DEF CON 2 | Sahara Hotel and Casino | July 22–24 | 1994 | ~200 |
| DEF CON 1 | Sands Hotel and Casino | June 9–11 | 1993 | ~100 |
According to DefCon staff, Madigan had told someone she wanted to out an undercover federal agent at DefCon. That person in turn warned DefCon about Madigan's plans. Federal law enforcement agents from FBI, DoD, United States Postal Inspection Service and other agencies regularly attend DefCon to gather intelligence on the latest techniques of hackers.
Lots of people come to DEFCON and are doing their job; security professionals, federal agents, and the press.
DEF CON
Multimedia
