In February Def Con banned a social engineering star, when the Def Con hacker conference released its annual transparency report, the public learned that one of the most prominent figures in the field of social engineering had been permanently banned from attending.
For years, Chris Hadnagy had enjoyed a high-profile role as the leader of the conference’s social engineering village. But Def Con’s transparency report stated that there had been multiple reports of him violating the conference’s code of conduct. In response, Def Con banned Hadnagy from the conference for life; in 2022, the social engineering village would be run by an entirely new team.
Now, Hadnagy has filed a lawsuit against the conference alleging defamation and infringement of contractual relations.
The lawsuit was filed in the United States District Court for the Eastern District of Pennsylvania on August 3rd and names Hadnagy as the plaintiff Lord of the Rings and Hobbit rights snapped, with Def Con Communications Inc. and the conference founder, Jeff Moss, also known as “The Dark Tangent,” as defendants. Papers were served to Jeffrey McNamara, attorney for Moss, at the conference in Las Vegas this year.
There are few public details about the incidents that caused Hadnagy’s ban, as is common in harassment cases. In the transparency report announcing the permanent ban, Def Con organizers were deliberately vague about the reported behavior. “After conversations with the reporting parties and Chris, we are confident the severity of the transgressions merits a ban from DEF CON,” organizers wrote in their post-conference transparency report following the previous year’s conference.
Def Con’s Code of Conduct is minimal, focusing almost entirely on a “no-harassment” policy. “Harassment includes deliberate intimidation and targeting individuals in a manner that makes them feel uncomfortable, unwelcome, or afraid,” the text reads. “Participants asked to stop any harassing behavior are expected to comply immediately. We reserve the right to respond to harassment in the manner we deem appropriate.”
At the conference this year, various people familiar with the matter told The Verge that Hadnagy’s behavior met the definition of harassment as defined by the code of conduct but declined to give more details on the record.
Reached for comment, Melanie Ensign, press lead for Def Con, pointed The Verge to a statement previously posted by Moss in advance of the conference this year. “When we receive a report of a Code of Conduct violation, our leadership team… conducts a review of the substance in consultation with our attorney as needed,” the statement reads. “We then review all the evidence available to us through community reports, news media, and internal investigations to determine whether the allegations are substantiated.”
The infosec community has had a number of high-profile sexual misconduct cases, some implicating the community’s most notable researchers. In 2016, former Tor developer Jacob Appelbaum resigned from the Tor Project after numerous allegations of “sexually aggressive behavior,” which the project’s executive team investigated and confirmed. A year later, The Verge reported news that security researcher Morgan Marquis-Boire had been credibly accused of sexually assaulting women over a period of decades.
Def Con’s commitment to a public transparency report — first announced in 2017 — marked a new push from organizers to create a safer conference by cracking down on harassment in spaces related to the conference.