Maksim Kabakou - stock.adobe.com

Judge dismisses Chris Hadnagy lawsuit against DEF CON

DEF CON said it wasn't the only infosec conference to receive code-of-conduct complaints about Chris Hadnagy, claiming Black Hat USA removed him from its review board.

Editor's note: This story was updated with statements from Chris Hadnagy and Jeff Moss, which can be found later in the article.

A judge has dismissed a lawsuit filed by social engineering expert Chris Hadnagy against DEF CON in response to the infosec conference's decision last year to ban him from future events.

DEF CON announced Friday that Judge Wendy J. Beetlestone dismissed the lawsuit, which had been filed in U.S. District Court of the Eastern District of Pennsylvania. In February 2022, DEF CON organizers announced they had banned Hadnagy for unspecified code of conduct violations. Hadnagy, founder and CEO of Social-Engineer LLC, had spoken at the annual infosec conference several times and was the head of DEF CON's Social Engineering Village.

Hadnagy repeatedly denied any allegations of misconduct at DEF CON and claimed organizers did not inform him of the specific accusations against him. "DEF CON's code of conduct addresses harassment and discrimination, and I can say with 100% certainty that no one has ever come to me with accusations of harassment or discrimination -- not a single person," he said in a statement last year.

In response, he filed a lawsuit in August against DEF CON and its founder and organizer, Jeff Moss, claiming in part that they had damaged his reputation. However, Judge Beetlestone ruled earlier this month that her court lacked "personal jurisdiction" over the defendants and dismissed the lawsuit before pre-trial discovery. While it was dismissed, Hadnagy can refile the lawsuit in another court.

In its announcement Friday, DEF CON provided additional information that contested some of Hadnagy's earlier statements. For example, Hadnagy said in a statement last year that "DEF CON has NOT me told what [the accusations] are or presented any evidence to support them." However, DEF CON said it spoke directly with Hadnagy about his alleged violations of the code of conduct.

"He confirmed his behavior, and agreed to stop," DEF CON organizers said in the statement, which was also posted on Twitter. "Unfortunately, the behavior did not stop."

In a separate court filing, DEF CON also claimed that it "connected with at least half a dozen other members of the hacking community who described similar inappropriate conduct by Plaintiff Hadnagy."

DEF CON also said it wasn't the only infosec conference to receive complaints about Hadnagy's behavior. According to the statement, DEF CON's investigation revealed that "Black Hat [USA] received complaints, conducted their own investigation and removed Mr. Hadnagy from their Review Board."

Black Hat did not publicly announce Hadnagy's removal from the review board last year or detail any complaints against the social engineering expert. Last February, Hadnagy was asked on Twitter why he was no longer listed as a member of the Black Hat Review Board.

"The way the internet blew up after Jeff's announcement, they felt it was best I stepped away from BH," Hadnagy replied on Twitter. "No reason to bring that heat to their doors."

It's unclear why Hadnagy was removed from the Black Hat Review Board. TechTarget Editorial contacted Black Hat for comment on DEF CON's claims, but Black Hat organizers had not responded at press time.

UPDATE 1/20: In an email to TechTarget Editorial, Hadnagy said he would refile the lawsuit against DEF CON and Moss. "The case was dismissed based on jurisdiction only, which is not uncommon for cases based on online communications," he wrote.

Hadnagy also responded to questions from TechTarget Editorial about the accusations of code of conduct violations against him, as well as DEF CON's recent statement.

"Neither Jeff, nor anyone acting in any official capacity on behalf of Def Con ever spoke to me about the allegations," he said. "I did exchange messages with Jeff to try to arrange a meeting, but that meeting never happened." 

Hadnagy said he spoke about the accusations with a third party, who made it clear they were "reaching out to me as a friend and was not authorized to speak on behalf of Def Con." In court documents, DEF CON said an unnamed "third party" contacted Hadnagy on behalf of the conference, though the organization did not say that it spoke directly with Hadnagy.

TechTarget Editorial could not confirm the identity of the third party and therefore edited the statement to remove the individual's name.

"They provided a vague summary that an ex-employee was making accusations against me having to do with a dispute over a company computer. They repeatedly stated that he was trying to act as a mediator, but Jeff was not responsive. I have never at any time done or said anything that would be in violation of the Code of Conduct, and I certainly have never confirmed any wrongdoing or violation of the Code of Conduct," Hadnagy said in the email.

"They did ask questions to me about actions I had taken regarding an ex-employee to protect my company. The employee was leaving and she had taken actions that were clearly in violation of the non-disclosure and non-compete sections of her employment agreement. We provided notice to her and her lawyer that she was in breach of her employment agreement and that we would take steps to enforce the agreement if she did not cease and desist," Hadnagy said. "Never did I in any way admit to or confirm any harmful, harassing or illegal actions against any person. To date neither Jeff nor any representatives from DefCon have ever accepted my repeated requests for a meeting to discuss all of this."

Hadnagy also commented on his situation with Black Hat, saying he met with a representative of the infosec conference about the DEF CON ban and allegations. TechTarget Editorial could not corroborate this meeting at press time and therefore remove the representative's name from Hadnagy's statement.

"We discussed incidents in the past that have been raised and resolved publicly on social media, these incidents largely stemmed from interactions with members of the general public and involved a poor choice of words or negative reviews of my classes -- nothing that would be considered as harassment or in violation of the code of conduct, and all publicly available on Twitter and LinkedIn for years," he said. 

"[The Black Hat representative] informed me after the meeting that in light of the current accusation and the negative publicity surrounding me due to Def Con's statement, that Black Hat had decided that it would be best for them to follow Def Con's lead and to part ways with me," Hadnagy wrote. "At that point I was being decimated on Twitter on a daily basis, my company was losing clients, and I understood why Black Hat felt that it had to distance itself from me."

UPDATE 1/26: Moss responded to TechTarget Editorial's inquiry about Hadnagy's most recent comments: "If you compare what Chris has said here with what his previous public statements were, you will discover all kinds of contradictions," Moss said.

Black Hat has yet to respond to requests for comment. 

Next Steps

Judge dismisses Chris Hadnagy lawsuit against DEF CON

Dig Deeper on Careers and certifications

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close