In February, when the Def Con hacker conference released its annual transparency report, the public learned that one of the most prominent figures in the field of social engineering had been permanently banned from attending.
For years, Chris Hadnagy had enjoyed a high-profile role as the leader of the conference’s social engineering village. But Def Con’s transparency report stated that there had been multiple reports of him violating the conference’s code of conduct. In response, Def Con banned Hadnagy from the conference for life; in 2022, the social engineering village would be run by an entirely new team.
Now, Hadnagy has filed a lawsuit against the conference alleging defamation and infringement of contractual relations.
The lawsuit was filed in the United States District Court for the Eastern District of Pennsylvania on August 3rd and names Hadnagy as the plaintiff, with Def Con Communications Inc. and the conference founder, Jeff Moss, also known as “The Dark Tangent,” as defendants. Papers were served to Jeffrey McNamara, attorney for Moss, at the conference in Las Vegas this year.
“we are confident the severity of the transgressions merits a ban from DEF CON”
There are few public details about the incidents that caused Hadnagy’s ban, as is common in harassment cases. In the transparency report announcing the permanent ban, Def Con organizers were deliberately vague about the reported behavior. “After conversations with the reporting parties and Chris, we are confident the severity of the transgressions merits a ban from DEF CON,” organizers wrote in their post-conference transparency report following the previous year’s conference.
Def Con’s Code of Conduct is minimal, focusing almost entirely on a “no-harassment” policy. “Harassment includes deliberate intimidation and targeting individuals in a manner that makes them feel uncomfortable, unwelcome, or afraid,” the text reads. “Participants asked to stop any harassing behavior are expected to comply immediately. We reserve the right to respond to harassment in the manner we deem appropriate.”
Do you have information about harassment at Def Con or other cybersecurity events? Reach out securely by email to firstname.lastname@example.org or via Signal on +1 (571) 888-5145.
At the conference this year, various people familiar with the matter told The Verge that Hadnagy’s behavior met the definition of harassment as defined by the code of conduct but declined to give more details on the record.
Reached for comment, Melanie Ensign, press lead for Def Con, pointed The Verge to a statement previously posted by Moss in advance of the conference this year. “When we receive a report of a Code of Conduct violation, our leadership team... conducts a review of the substance in consultation with our attorney as needed,” the statement reads. “We then review all the evidence available to us through community reports, news media, and internal investigations to determine whether the allegations are substantiated.”
The infosec community has had a number of high-profile sexual misconduct cases, some implicating the community’s most notable researchers. In 2016, former Tor developer Jacob Appelbaum resigned from the Tor Project after numerous allegations of “sexually aggressive behavior,” which the project’s executive team investigated and confirmed. A year later, The Verge reported news that security researcher Morgan Marquis-Boire had been credibly accused of sexually assaulting women over a period of decades.
Def Con’s commitment to a public transparency report — first announced in 2017 — marked a new push from organizers to create a safer conference by cracking down on harassment in spaces related to the conference.
Even so, Hadnagy’s ban has sent shockwaves through the Def Con community, particularly given his status as a conference insider and coordinator of a popular activity zone. As leader of the SE Village — where attendees learn the art of eliciting sensitive information from targets through psychological tricks — Hadnagy held a celebrated role at the conference year after year, explaining tradecraft and running a crowd-pleasing capture-the-flag competition. As a published author and frequent speaker on the topic of social engineering, Hadnagy’s participation was a big draw for those looking to break into the field.
This year, the village — rebranded as Social Engineering Community — was under new leadership, with JC Carruthers and Stephanie “Snow” Carruthers in charge of events. The new organizers told The Verge that they had stepped in on short notice with a proposal to run the village after news of Hadnagy’s ban broke and that feedback from attendees this year had been positive. Both declined to comment on the specific nature of the accusations against Hadnagy.
Reached by The Verge, Hadnagy claims that conference organizers did not provide details of the accusations against him and denies any wrongdoing.
“My company and I consistently deny and continue to deny any and all allegations of misconduct,” he said in an email statement to The Verge. “To address these false accusations, defamatory statements and innuendos I have filed a lawsuit against both DEF CON Communications and Jeff Moss.”
“My company and I consistently deny and continue to deny any and all allegations of misconduct”
In the lawsuit, Hadnagy alleges that the statements in the transparency report, combined with the rarity of being barred from the conference, mean that the ban amounts to “severe and irreversible” harm to his reputation, for which he is seeking damages in excess of $75,000. The complaint also includes further counts of interference with contractual relations, infliction of emotional distress, and invasion of privacy — with the same amount of damages being sought for each.
Since the ban, Hadnagy has become a persona non grata at similar events. Recently, one of the main organizers of the BSides Cleveland security conference stepped down after booking Hadnagy as a surprise keynote speaker. Hadnagy was reportedly intending to deliver a talk that included a criticism of “cancel culture.”
As news of the case became public, some notable voices in the infosec community gave a critical response. Alyssa Miller, chief information security officer at business services firm Epiq Global, branded the lawsuit an abuse of the legal system and an attempt to manipulate conference organizers.
“Let’s be clear about what this lawsuit is about,” Miller tweeted. “It’s not about DEFCON or DarkTangent. This is about [Chris Hadnagy] trying to force the names and full details of his accusers into the public sphere so he can go after them, attack them, and try to discredit them.”
Correction August 18, 4:15PM ET: An earlier version of this story claimed that Jeff Moss was served papers directly. In fact, papers were served to Moss’s attorney, Jeffrey McNamara. We regret the error.