Against all odds: security awareness campaign at Devconnect

Back in 2023, we ran the first undercover security campaign at Ethereum Argentina. Our goals were to:

• Raise awareness on attacks at conferences, such as device hijacking, private key compromises, phishing, and social engineering.
• Demonstrate vulnerabilities in realistic scenarios, showing how attackers could leverage both on-chain and off-chain situations to gather data and potentially compromise security.
• Engage the community by fostering participation with workshops, talks, gatherings, scavenger hunts, CTFs, and similar activities to make attendees interact with parts of the campaign.

We don't like theory. After all, we're hackers. We thrive doing stuff. So those high-level goals quickly turned into fun, harmless activities at the venue. Including USB drops, look-alike flyers with backdoored challenges and QR codes, cloned sites, cards on unattended devices, WiFi hotspots, etc.

You were not pwned by The Red Guild - Ethereum Argentina

Revealing all tricks used in the undercover security campaign we ran at Ethereum Argentina 2023.

The Red Guildmatta

The feedback from the community was outstanding. We'd found a novel way to teach security in practical ways nobody had ever done in the Ethereum ecosystem.

So ever since 2023, we thought of running a larger, more impactful campaign. It'd have to be either at Devcon or Devconnect.

We submitted a public DIP to share our ideas with the community, preparing the ground to do it at Devcon in Bangkok.

(RFC) DIP: Security Awarness Activities On-Site

This thread is a work in progress. Heavily inspired by: “RFC Undercover Security Campaign” by @spalladino . You were not pwned by The Red Guild - Ethereum Argentina Crypto conferences aren’t just about the buzz and networking. If you look a little closer, you’ll notice that they can sometimes be more intense than they appear. In these spaces, there’s more than just learning, swag, and POAPs; there are also people looking to take advantage of the unprepared. The threats are real, from subtle s…

Devcon Forummatta

Bangkok wasn't ideal, though. It was too far away to set up logistics and travel with hardware and gadgets. Despite that, we created 15 security challenges across different domains (both on-chain and off-chain) and our first proof-of-concept for the Phishing Dojo.

And the original campaign? Well, we decided to call it off for at least a year. We'd wait for the perfect moment, which didn't take long to appear.

Devconnect was confirmed to happen in Buenos Aires! That was our so-much-awaited call. No doubt we'd run a full-blown security awareness campaign at Devconnect. With the support of our local friends, collaborators, and the thriving Argentine hacking community, it'd be a blast.

We couldn't just repeat our performance at Ethereum Argentina 2023, though. We had to expand, go bigger. So we spent months coming up with ideas to execute at Devconnect, building upon the DIP we had shared with the organizers.

Reality kicks in

We needed wanted the organization's approval to carry out our campaign. Even if all our activities were harmless for attendees. We didn't want to affect event logistics too much, or end up kicked out of Devconnect for hanging fake flyers or such. The DIP was a first step, followed by privately chatting with some of the organizers. That way, we'd give enough visibility to the Devconnect team, without spoiling surprises for the rest.

We presented a large list of activities of different flavors. Agreed, some of them could be slightly controversial at first sight. But given that (1) we had already written the DIP, (2) we had already done a campaign in the past, and that (3) The Red Guild has a proven track record in the Ethereum ecosystem with an impeccable reputation, we thought we'd be allowed to, at the very least, repeat the Ethereum Argentina experience. And hopefully go above and beyond.

However, reality is different. After a few meetings with our points of contact, we realized there was a massive mismatch of expectations. Not only was it prohibited to do what we'd done at Ethereum Argentina, but we should also do less of what our campaigns consist of. Far, far less.

No USB drops. No touching the WiFi. No flyers. No fake sites. No QR codes. No fake agendas. No passive scanning of anything. No charging stations. Not even a simple screen with real-time threat dashboard. A looong list of NOs.

Short aside: I'm writing this at Devconnect. Tethering my WiFi because the venue's one doesn't work.
I guess that's the most secure WiFi - the one people cannot even use.

What's a security campaign supposed to look like under those restrictions? Hard to tell. With only one or two months to the event's kickoff, we had to go back to the drawing board.

Frustrating and disappointing are some words to start describing our mood during those weeks.

If that wasn't enough, our 2025-2026 grant with the Ethereum Foundation was rejected in the meantime. But that's another story.

Reshaping the campaign

We wouldn't be discouraged, though. This was a once-in-a-lifetime opportunity to do something meaningful for our local community in Argentina, and everyone attending Devconnect. We would not let it slip by so easily.

Restrained from doing anything hack-ish at the venue, we'd have to reshape the campaign in creative ways. Which is OK, because if we hackers at The Red Guild know something, it is how to be creative.

'OPSEC while traveling' books

The highlight of our swag at Devconnect. A minibook packed with actionable ideas and suggestions to harden your OPSEC while traveling.

We printed and distributed around 3.5K books across multiple events in the week. Including:

• Aleph Crecimiento;
• Ethereum Foundation's cocktail party;
• Devconnect's
  • coworking tables,
  • onboarding area,
  • and directly to staff at La Rural;
• DeFi Security Summit (both the 101 and main conference);
• Opsek's security asado at Area3 cowork;
• Sigma Prime and friends event;
• 1 trillion dollar security event, etc.

That, on top of all the books we personally handed out.

This was the book's first version. With the community's help, we'll improve it and make an even more useful v2 for the next time! 📚🫶

QR threat analyzer

With a more defensive approach to QRs, we created a scanner to detect threats on websites and explain Ethereum transactions in natural language.

It's a simple progressive web app for a camera that pulls results from different APIs (Unblind, SEAL's blocklists, VirusTotal, Google Safe Browsing) and serves them to the user in a friendly format.

Live threat dashboard

We developed a dashboard to showcase live threats in the crypto ecosystem, building on top of multiple external feeds and our own.

The Red Guild's threat dashboard includes live feeds for:

• Catching suspicious domain registrations using Certsentry, featuring our own heuristics. Helpful to detect, flag, and report phishing domains even before they set up the actual sites!
• Detection of potential malware in IDE extensions, feeding from Krakovia.
• Defimon on-chain activity and messages, feeding from Decurity.
• Feed of ZachXBT investigations from their Telegram group.

It's a pity we received pushback from the organization and were told not to feature the dashboard at the conference. It'd have been a nice opportunity to share these live feeds and insights IRL with attendees.

We understand that providing this information without clear indications of what to do can be considered useless. Our strongest argument against this is that the API and the dashboard are already public, free to use, and we're working with SEAL Intel to apply analysis on top. The dashboard is a way to provide visibility of things that are already happening.

Anyway, check it out by yourself below 👇

TRG’s Threat Dashboard

Multiple Threat Monitoring

A few metrics from our first week run showed incredible results. We found 1093 unique domains targeting 'Coinbase', with 2826 unique subdomains for them. Here's an example of a phishing campaign pattern.

The Phishing Dojo

Devconnect found ourselves rushing to have a new beta version of The Phishing Dojo (originally released last year for Devcon). We managed to revamp the whole platform to have proper account management, progress tracking, and better training builders (TBD). Available in dark mode 💅

The new version of the Phishing Dojo we shared at Devconnect features new training, including:

1. Wallet signing, where we show different kinds of wallet interactions (transfers, data signing, approvals, SIWE, etc) in realistic settings and websites with different wallets' UIs (software, hardware). Users are expected to spot suspicious information, activities, and actions, and flag them to pass the challenges.
2. Email basics & advanced: two new trainings to learn about phishing threats in emails. While the basic covers fundamentals of domains, links, and suspicious content, the advanced goes into depth with authorization schemes (DMARC, SPF, DKIM). Overall, our email training involves inspecting email senders, subjects, raw contents, headers, links, and any other email component that attackers may exploit to weaponize them.

The Phishing Dojo is out. Join the public beta!

The Phishing Dojo is a one-of-its-kind threat simulation platform to train against phishing and scams in the crypto space.

The Red Guildtincho

Top unsolicited appearances

As we were running our campaign, networking and jumping around events, talks, and meetings, it was incredible to see The Red Guild being praised by colleagues we admire in the ecosystem.

Here are some highlights.

First, the one and only @smpalladino casually mentioning The Red Guild as one influential and underrated team in Ethereum security:

In the same talk, seeing The Red Guild featured among other influential Argentine crypto projects. Beautiful to see our logo there.

We also had our dear friend @_iphelix sharing one of our latest articles on NPM and supply chain attacks in the top talk at the DeFi Security Summit.

We were also mentioned at Aleph Crecimiento and EthCon as part of Argentina's relevant milestones in history!

It has been based on this website below, and you can even suggest relevant events to the timeline:

Builders Archive | Crecimiento

From the very beginning, Argentina was always at the forefront of Ethereum innovation. The Builders Archive gathers origin stories of Argentina’s crypto startups, early experiments, and ongoing contributions to the world computer.

Crecimiento

We'll probably add a few things, particularly all the work that we've done in Tandil, and also, matta was the coordinator of volunteers and assisted in the production of the first biggest Ethereum-related event in Argentina, EthBuenosAires.

101 ways to get rekt @ DeFi Security Summit

We did a 1-hour talk at the DeFi Security Summit, sharing an absurd amount of content on:

• Abusing VSCode extensions to escape containers
• AI prompt injection and context pollution
• Threat simulations with the new training of The Phishing Dojo

Here's the video recording in case you want to see it. You'll realize we skipped a lot of PoCs and demos due to time constraints. We will probably record an extended version of this soon.

The VSCode section was based on Leveraging VSCode internals to escape containers.

Panel at OpenZeppelin Convergence

It's 2025, and protocols still get hacked. Is 100% security even possible?

We don't know. But we had some ideas! So we joined the discussion at OpenZeppelin Convergence, sharing the stage with Eric from Uniswap, Patrick from Cyfrin, Eloi from Linea, and Jota from OpenZeppelin.

Here you can check out some of our takeaways

And more!

1 Trillion Dollar Security Initiative

Because all this wasn't enough, we also moderated and led the off-chain security layer at the Trillion Dollar Security Day, organized by the Ethereum Foundation and Trust X. It was an entire day full of discussions per layer:

1. L1 - Topics related to Ethereum L1 security
2. L2 - Topics related to Ethereum L2 security
3. Wallet - Topics related to Wallet security
4. Interop - Topics related to Interop security
5. Infrastructure - Topics related to Ethereum Infrastructure security (tools, services, etc.)
6. Onchain - Topics related to smart contract security (audits, bounties, etc.)
7. Off-chain - Topics related to off-chain security (staking, opsec, etc.)
8. Monitoring & Response - Topics related to monitoring and response of protocol security
9. Privacy - Topics related to Ethereum privacy
10. Social - Topics related to the social layer of Ethereum security (education, outreach, etc.)

What surprised me the most was that the organization allocated double the space to the off-chain layer, and, along with the social layer, these two were the top 2 with the fewest participants. Of course, there was some overlap with Wallet security and Infrastructure layers, for example, but I think that there's something to learn from this experience.

We led, wrote down, and later presented all day's work to the rest of the layers and the organization. We might create a separate article with our thoughts on this; however, an official article from the initiative will be published soon.

Here are a few articles in case you want to understand a bit better the context we had for the day

• https://blog.ethereum.org/2025/05/14/trillion-dollar-security
• https://blog.ethereum.org/2025/08/20/trillion-dollar-sec-2
• https://ethereum.org/trillion-dollar-security

Startup Cup @ Crecimiento

The guild was invited to participate in the Startup Cup at Crecimiento. From around ~300 teams, only 60 were picked to participate in the semi-finals. We helped in the first two rounds, interviewing around 20 teams and helping the cup get closer to its grand finale.

We spent a few minutes at their closing party saying goodbye to Aleph, the cowork from Crecimiento that has now been closed, so we hugged a few friends, toasted to all the good experiences we shared there, and continued our awareness campaign in some sense? because matta always has some more time to spread the security gospel...

USB plugs

In our previous campaigns, we recorded ourselves interacting with and moving unattended computers and smartphones around (just to prove we weren’t doing anything harmful), and at the same time, to show that people do not take threats seriously.

In each case, we'd leave a presentation card that read: "You could’ve been pwned by The Red Guild".

For Devconnect, instead of a presentation card, we created 3D-printed fake USB devices. They can literally connect to USB-A, USB-C, and Lightning type ports. We’d give these to our collaborators, who’d find unattended computers or phones lying around the venue, and plug them in.

They can also be used as keychains! So it's a unique piece of swag too 🔥

We also had an even smaller version of these pluggable USBs, with only a ? printed and an embedded lotus flower on them. Here's one our team dropped in an unattended device — we might have plugged a few others as well.

Radio monitoring

Using a HackRF One and some other gadgets, we spent some time attempting to find sensitive public radio conversations at the venue. The goal was to demonstrate how easy it would be for attackers to listen to comms on logistics and the venue's physical security.

Catching IMSI catchers

We deployed a device running Rayhunter to detect cellular spying at the venue. Rayhunter is an open-source tool from the EFF to detect cell-site simulators (CSS).

CSS (also known as Stingrays or IMSI catchers) are devices that masquerade as legitimate cell-phone towers, tricking phones within a certain radius into connecting to the device rather than a tower.

Introduction - Rayhunter - An IMSI Catcher Catcher

An IMSI Catcher Catcher

Meet Rayhunter: A New Open Source Tool from EFF to Detect Cellular Spying

Rayhunter is a new open source tool we’ve created that runs off an affordable mobile hotspot that we hope empowers everyone, regardless of technical skill, to help search out cell-site simulators (CSS) around the world.

Electronic Frontier FoundationCooper Quintin and Will Greenberg

Honeypots

If we were not allowed to interact with WiFi, we decided to try unobtrusive passive monitoring at least. Invested a few bucks to buy a cool piece of hardware and then deployed some known honeypots.

Pottie would allow us to run +70 honeypots in itself, which, we'd leave at Devconnect to lure attackers into targeting us.

We soooo failed at this setup though. The minimum we needed in order to execute this was a stable connection, regardless of the networks being isolated or not. We even brought a 25 mts Ethernet cable, CAT5, with it. It was just that the WiFi at Devconnect was so collapsed we couldn't set up a lasting connection to have our honeypots running 🤷.

We could've mimicked already connected devices, cloned MAC addresses, connected our own router as a proxy, or even directly tried deauths, but since that was out of the question, we just carried a boulder everywhere.

You can't always get what you want

But you can hack your way to it.

It's clear this wasn't the security awareness campaign we had dreamt of. Our road to Devconnect was full of holes, bumps, and ugly surprises around every corner. We were challenged in so many ways to get there.

Regardless of all constraints and limitations, we managed to pull off unique and memorable experiences for everyone that we could reach in our community.

The Red Guild is a small, independent, underfunded team. Still, The Red Guild continues to shape what security for the public good means in the crypto ecosystem.

And, we do legit-af-signaling swag*.

*legit-af-signaling swag adj. phr. & n.

Definition: Denoting distinctive raiment or goods of such undeniable caliber that their mere display serves as an irrevocable proclamation of the owner’s genuineness to the utmost degree; the physical manifestation of indisputable clout.

"He entered the boardroom clad in the shirt, a piece of legit-af-signaling swag that silenced all detractors."