DEF CON 33 Recap: Inside the World’s Largest Hacker Gathering

Held from August 7 to 10, 2025, at the Las Vegas Convention Center, DEF CON 33 brought together nearly 30,000 hackers, researchers, security professionals, and enthusiasts, reaffirming its status as the world’s largest and most dynamic hacker convention. What began over three decades ago as a small gathering of hackers has since evolved into a global phenomenon, known not only for its cutting-edge technical talks but also for its hands-on culture of experimentation, collaboration, and community. The 2025 edition stood out for its strong emphasis on AI security, community-driven defense, and social engineering awareness, while staying true to its roots with legendary competitions, interactive villages, and the distinct hacker ethos that makes DEF CON unlike any other conference.

---

Villages & Hands-On Experiences

Blue Team Village (BTV)

The BTV served as a hub for defenders and security professionals to collaborate on strategies for detection, response, and resilience against modern cyber threats. Attendees participated in Capture-the-Flag (CTF) competitions focused on defense, explored threat-hunting labs, and engaged in sessions on incident response, SOC operations, and malware analysis.

IoT Village

With the Internet of Things expanding into homes, hospitals, and critical industries, IoT Village drew heavy crowds. Security researchers showcased live demonstrations of vulnerabilities in everyday devices smart locks, cameras, routers, and even medical wearables, emphasizing just how often convenience trumps security in consumer technology. Workshops offered guidance on responsible disclosure, reverse engineering, and how manufacturers can integrate security-by-design into IoT products.

Lockpicking Village

A perennial DEF CON favorite, the Lockpicking Village buzzed with activity as attendees of all skill levels learned how to pick, bypass, and understand physical security mechanisms. From traditional pin-and-tumbler locks to handcuffs, safes, and high-security systems, the village offered a rare opportunity to practice physical security hacking under the guidance of experts from groups like TOOOL (The Open Organisation of Lockpickers). Beyond fun, it reminded participants that physical access often remains the first line of compromise.

Biohacking & Voting Machine Villages

The Biohacking Village continued to explore the intersection of technology and the human body, including workshops on medical device security, DIY biology projects, and ethical debates about human augmentation. Meanwhile, the Voting Machine Village once again underscored DEF CON’s civic mission, with researchers exposing vulnerabilities in real-world election equipment. By allowing attendees to probe voting systems firsthand, the village fueled important conversations about election integrity, public trust, and the responsibility of governments to modernize security.

---

Social Engineering in Action

The Social Engineering Community (SEC) Village demonstrated the human element of security with a series of headline events centered on vishing (voice phishing). The village showcased both the art and the future of social engineering by combining live demonstrations, competitions, and groundbreaking AI experiments.

Vishing Competition (SECVC)

The SEC’s flagship event drew massive crowds this year. Contestants stepped into a soundproof glass booth, nicknamed the “glass cage of emotion,” where they made live vishing calls to real companies. The competition was overseen by experts like Stephanie “Snow” Carruthers (a former DEF CON Social Engineering Village Black Badge winner) and JC Carruthers. The organizers assigned contestants' target organizations (ranging from pizza joints to telecoms) well in advance of the conference, tasking them with gathering intelligence on the target and strategizing how best to talk their way in. On the day of the competition, they were ushered into a sound isolation booth with a phone line controlled by a referee. Contestants had a limited amount of time to dial the target organizations and retrieve their objectives. Those objectives typically entailed convincing the party on the other end of the line to disclose details about physical security and cybersecurity measures at their employers. For example, vishers often had to ask how staff locked up at night, what antivirus software was installed on their machines, whether there were protocols for handling personal data, or how workers disposed of old keycards. Other objectives sometimes included directing the target to visit a phishing link, though in this case, it was a harmless site displaying humorous error messages. Callers often pretended to be from some kind of IT department or help desk, but they employed other personas as well, posing as everything from angry customers to radio hosts awarding prizes. The competition had strict ethical rules. Asking for sensitive information such as credentials or personally identifiable information was banned, as were “pretexts or narratives which utilized fear” and impersonation of external authority figures like police. Audience members were warned not to record audio of the actual calls.

Cold Calls Experience

Designed for beginners, this hands-on activity allowed attendees to try vishing in a lower-stakes environment. Instead of being scored or judged, participants could practice persuasion techniques, roleplay scenarios, and experience firsthand the tension of making a cold call. With coaching from veteran social engineers, the Cold Calls Experience helped bridge the gap between theory and real-world execution, showing that even novices could become surprisingly effective with just a little guidance.

Battle of the Bots: AI vs. Human Vishing

Perhaps the most talked-about showcase of DEF CON 33, this experimental event pitted AI-driven vishing bots against human social engineers. AI systems designed by Lisa Flynn and Perry Carpenter were trained on persuasion tactics, voice modulation, and common pretexts. They went head-to-head with experienced human contestants in attempting to trick live “targets.” While the human competitors ultimately edged out the win, the AI’s strong performance stunned the audience and sparked heated conversations about the future of automated social engineering. If machine learning can already mimic human manipulative strategies this convincingly, defenders may soon face a new era of scalable, AI-powered attacks.

---

Conclusion

From AI red teaming to voice phishing battles, the event revealed both the risks we face and the ingenuity of a community determined to outsmart them. As always, DEF CON proved that hacking isn’t just about breaking systems; it’s about understanding them deeply, defending them better, and pushing the boundaries of what technology can do.