DEF CON 33 Wrap-Up: What Happened at Payment Village
A hands-on, community-powered look at payment system security — from ferrofluid and feature phones to CTF stats and future challenges.
DEF CON 33 was our biggest year yet — and it was powered by the incredible growth of our community. Last year’s volunteers returned with even more energy, helping lead workshops, run our CTF, and keep the entire Village moving.
We saw kids, first-timers, seasoned hackers, and returning attendees engage with every layer of the payment security ecosystem – from magstripes and ATMs to BLE, Android wallets, and trivia puzzles.
Here’s a look back at what happened.
Highlights from the Village
15 Speakers & 5 Workshops
Across the Payment Village and the Creator Stage, more than 2,000 people joined our talk lineup and live demos. We covered everything from BLE in mPOS systems to Android instrumentation, contactless security, card testing, and ATM exploitation.
See the full video playlist here.
The Payment Village leads with our speakers. From left to right: Karthik Tadinada, Erin West, Vincent Sloan, Leigh-Anne Galloway, Martyn Higson. Credit: Karthik Tadinada.
Talk “Carding is Dead, Long Live Carding: How MaaS is fueling NFC-relay attack” by Federico Valentini on the DEF CON creators stage.Credit: Karthik Tadinada,
The Payment Village Choir as part of the contest CAPTURE THE COIN, credit: Nicole Sloan
~200 People Joined Our Workshops
Our hands-on sessions this year were packed – and for good reason. Workshops like Vincent Sloan’s Card Testing and Ileana Barrionuevo’s Android app instrumentation weren’t just educational – they directly helped attendees prep for our CTF.
The Payment Village ATM as part of the contest CAPTURE THE COIN, credit: Nicole Sloan
The Payment Village ATM as part of the contest CAPTURE THE COIN, credit: Dan Borgogno.
The Payment Village PoS was incredibly popular as part of the CAPTURE THE COIN contest. Credit: Nicole Sloan.
Ferrofluid & Magstripes
Our physical stations drew huge crowds, including a surprising number of adults fascinated by ferrofluid’s ability to reveal magnetic data on cards. Many were shocked by how easily sensitive track data could be visualized.
Security and usability continue to be a balancing act in the payment ecosystem. The ferrofluid demonstration underscored the fragility of legacy magnetic stripe systems – which, despite their security risks, remain widely used due to backward compatibility and merchant familiarity.
Demonstration of ferrofluid on magnetic stripe by Christopher Marcotte, credit: Dan Borgogno.
Limited edition Payment Village cards as part of the Black Badge raffle.
Next Gen DEF CON
We participated for the first time in DC Next Gen, welcoming kids and teens into the hacker fold. Seeing 8-year-old Dominick and his parents stick with a 90-minute Dumpster Dive challenge was one of the most inspiring moments of the event.
Shredded cash from the dumpster diving challenge, credit:Nicole Sloan.
Payment Village CTF: Registered & Ready
This was the first year our CTF was officially registered — and it was a hit.
The winning team scored 890 points
We received strong feedback on the structure and depth of the challenges
Our physical tasks were the most popular, especially Dumpster Diving and the ferrofluid station
Announcement of CAPTURE THE COIN winners, credit: Ileanna Barrionuevo.
The contest leaderboard, credit: Ileanna Barrionuevo
We introduced five themed categories this year:
Trivia – Bouncy castles and orchestras, puzzles and protocol.
POS – Return of the "cash pop" with tougher twists.
MPOS – Powered by BLE reverse-engineering research.
Android – Dynamic analysis, mobile wallets, and runtime tricks.
Cards – Three attack vectors: online payments, POSSim with physical readers, and an ATM onsite (!).
CTF Theme: Tag Ambiguity – dive into it if you haven’t already.
Stats Snapshot
2,000+ talk attendees
~200 workshop participants
CTF officially registered for the first time
CTF winning score: 890
24 volunteers + 15 speakers
1st year in DC Next Gen program
Community sponsor: Incode
Broader Reflections on the State of Payments
The DEF CON crowd reminded us that payments affect nearly everyone on the planet. There are nearly 27 billion payment cards in circulation worldwide, and more than 4.5 billion people use mobile payments, many of them on feature phones, not smartphones.
Mobile services like M-Pesa in Kenya highlight both the scale and diversity of the global payments ecosystem. In other regions, wallets like Apple Pay and Google Pay have become mainstream – replacing raw cardholder data with payment tokens that offer better security and enable new business models like subscriptions.
Standards like PCI-DSS, often debated, have helped establish technical controls like encryption, monitoring, etc. across issuers, merchants, and processors. In fact, PCI-DSS helped pave the way for modern compliance frameworks across sectors (HIPAA, SOC2, ISO27001).
But there’s more work ahead. The emergence of BNPL, crypto, and even deepfake-driven fraud presents new challenges. As always, the deeper our collective understanding, the better our ability to secure the future.
A Final Thank You
None of this would have been possible without our core team — many of whom began as volunteers last year. This Village is built by hackers for hackers, and 2025 proved just how powerful that model can be. We are also grateful to our community sponsors, Incode,whose support plays a vital role in advancing our mission.
We’re immensely proud of what we built together at DEF CON 33.
Payment Village volunteers. Credit: Justin Lam.
If you want to support this work — or help us go even bigger next time:
→ Share this post. Sponsor the Village. Or just come say hi next year.