TL;DR
At LeHack 2025, I deployed a rig of 8x ESP32-C3 + 2 CardPuters running Evil-M5Project to perform Karma Wi-Fi attacks using real-world SSIDs taken on Wigle. This setup can handle 100 connections at same time.
Victims saw an educational captive portal no exploitation, just awareness.
I even karma’d a speaker live on stage.
Hackers got hacked. Mission complete.
Table of Contents
- 1. Introduction – What is LeHack?
- 2. The Project – Karma Anyone Who Can Be
- 3. The Goal – Stay Ethical and Promote the Evil-M5project
- 4. Fun – Hacking Hackers at LeHack
- 5. Community – Feedback and Reactions
- 6. Conclusion – Mission Complete
1. Introduction – LeHack
First of all what exactly is LeHack ?
LeHack is one of the oldest and most respected hacking events in Europe. Held annually in Paris, it brings together cybersecurity professionals, ethical hackers, hardware tinkerers, and curious minds from all over the world but mostly french. Originally known as « La Nuit du Hack », the event has grown into a full-blown weekend of talks, workshops, live hacking villages, and CTFs.
It’s a place where offensive security meets creativity, where exploits are celebrated, and where the line between proof-of-concept and chaos is often very thin making it the perfect place to test and showcase unconventional setups in the wild.
But beyond the talks and the tech, what really makes LeHack special is its atmosphere. It’s raw, electric, and unfiltered. The kind of place where you can be talking packet injection with a random hacker over beer one moment, and bump into a cybersecurity legend the next.
Despite the crowds, many of the scene’s biggest names remain incredibly approachable, whether they’re giving a talk and going for a cigarette or a beer with everyone right afterward, hanging out in the OSINT village, just quietly hacking away in a corner with a GPD mini or making a website in few hours as a revenge to picture of his feet stolen (https://cyberfeet.fr/).
Everyone is open, curious, and passionate. There’s something to explore at every turn: bizarre devices, live demos, obscure hacking challenges, and spontaneous debates that last into the night.
If DEFCON is Vegas chaos, LeHack is Parisian anarchy. It’s in my opinion a place to be each year during this period !
2. The Project – Karma anyone who can be
I’ve been actively working on the Evil-M5project for the past 2 years, a platform designed to implement a lot of WiFi, Bleutooth and network attack and specially Karma Wi-Fi attacks using ESP32 microcontrollers.
Through extensive testing and experimentation, I realized that the attack surface of karma attack is surprisingly broad especially when you carefully craft SSIDs that mimic real-world open networks that people trust and connect during there daily life or trip to the event.
Even seasoned professionals can get caught if the conditions are right, they’re is so much WiFi that people use, like Train station Wi-Fi, fast food hotspots, event networks of the year and past year, because the network is open or the password is know the device trust the network and reconnect without user interaction.
People’s devices just want to connect and sometimes scream the SSID over the air.
To bring the project to life at LeHack, I used my custom rig of 8x ESP32-C3 boards from Evil-M5Project, each equipped with external antennas.
This setup allows me to run multiple code in parallel as I want : EAPOL sniffing, automatic deauth attacks, standalone captive portals, and even wardriving passive scanning, with the desired number of ESP32 and without hopping.
For the event each ESP32 is loaded with portal code that can handle up to 10 clients in parrallele per ESP32, meaning this configuration theoretically supports 80 concurrent karma connections. On top of that, I had two CardPuters running auxiliary Karma Auto pushing the total to 100 potential victims in parallel.
Each ESP32 have a specially choosen name, selected by using Wigle targeting SSID network used in train and station to come to the event, WiFi used by Paris to provide free WiFi in town same for Free Wifi, a fast food that just in front of the place and the SSID of the event and past year configured with the right password because it’s a WPA2 network but Karma is still effective if the right password is used.
Here the exact list used if you are at the event you probably seen or be connected to one of them, now you know how :
- _SNCF_WIFI_INOUI
- NormandieTrainConnecte
- freewifi.sncf
- Free Wifi
- Paris Wi-Fi
- McDonald’s France
- LeHACK-2024
- LeHACK-2025
Due to the Karma Auto attack running on Evil-Cardputer, some probe requests were detected to be replayed for 15 seconds, so this list is not exhaustive.
The rig is lightweight and fully portable, I was able to carry and power it during the entire event without any hassle with two external battery (5500mah and 6500mah). It’s scalable too you can add more esp32, limit is 10 in parralele if your using one esp32 source of powering, with multiple source, sky is the limit and I’m already thinking about expanding it for next year.
In short, it’s the perfect platform for chaos in public wireless environments, especially when the goal is awareness through demonstration.
One of my regrets is not have the time to implementing a way to check the number of unique device in total connected to it, but I got a view by using Evil-Cardputer side-by-side, checking the probe requests issued when a device connects and using somes of the network SSIDs used on the rig to verify that it is actually working.
As a result, it was very effective, as soon as I arrived I started the cardputer with the SSID _SNCF_WIFI_INOUI just to test what gonna happen and I had, in less than 1 minute, 10 people automatically connected to me.
And each time I deploy it it was effective (Sta = Station connected ) :
for more informations about Karma Attack you should read this article :
3. The goal – Stay Ethical and Promote the Evil-M5Project
While the technical part of the setup was fun to build and deploy, the core mission remained ethical: to raise awareness about the risks of automatic Wi-Fi connections and demonstrate that Karma Attack still work even in 2025. Also promoting the Evil-M5project and the community.
To achieve that, I designed a captive portal that would be automatically triggered upon connection as a captive portal (depending on the OS behavior more on that later). The portal served a custom page with clear branding for the Evil-M5project, along with a direct message:
The page explained briefly what a Karma attack is, how it works, and why blindly trusting familiar-looking SSIDs can be dangerous. No credentials were harvested, no malware was delivered just a moment of realization for the user. The goal was not exploitation, but education through demonstration.
In a world where mobile devices still auto-connect to previously known networks without validating the AP if the network is stored network was open, Karma remains a surprisingly effective vector and one that’s often overlooked by both users and enterprise threat models.
And for sure all link to the github and discord :
4. Fun – Hacking Hackers at LeHack
LeHack and project wouldn’t be complete to me without some direct feedback.
At one point during the talk « Fun with Watches: Hacking a 12€ Smartwatch with Bluetooth Low Energy and 3 Wires », presented by Virtualabs and Xilokar, something unexpected… or excepted (?) happened.The machine got karma’d live on stage. While his Linux setup didn’t trigger the captive portal (thanks to how most Linux distros suppress automatic popups because it was not planned at all, and II would have been terribly ashamed to interfere in a full-screen talk in front of so many people), the rogue SSID appeared right there on the projector screen asking for opening the portal with the SSID _SNCF_WIFI_INOUI.
A perfect moment of stress to me, unplugging the all thing as soon as possible to not interfere, considering the respect I got for him, but virutalabs said : »well, there’s someone playing with the wifi » and continue the talk as the good speaker he is.
I directly run to him after the talk to apologies and he just answer me : » Oh you know that’s the game haha ! », what a cool event with cool people !
Throughout the day, multiple attendees connected to the rogue networks. Some realized something was off when the portal appeared. Others noticed their phone was on a Wi-Fi they hadn’t joined consciously. A few came up to me, pointing at the rig with a mix of confusion and curiosity, asking:
“WTF is that thing?”
I wasn’t hiding. I openly explained the setup, showed them their devices were indeed connected, and let them explore the portal themselves. The reactions were priceless a mix of amusement, respect, and concern. Eyes widened. Some laughed. A few took notes. It sparked real conversations about trust, Wi-Fi behavior, and how even tech-savvy users can get caught when SSIDs are cloned just right.
The best part was to have someone comming to me to ask what is it and I just answered « look your phone first », find that the phone was connected to the rig bringing even more WTF is happening 🤣
5. Community Feedback and Reactions
One of the best parts of LeHack is how open and curious the community is and that really showed throughout the day.
After seeing the rig in action or falling into one of the rogue SSIDs, many hackers approached me not with anger, frustration or suspicion, but with genuine interest.
Some asked how it was built. Others wanted to see the portal in action. Several people took notes, snapped pictures of the rig, and even asked for the GitHub link to the Evil-M5project. Nobody felt tricked because the intent was clear, and the execution was respectful. If anything, most were impressed by how simple yet effective the attack still is, even at a hacker conference.
It triggered real conversations about Wi-Fi behavior, OS differences (especially around captive portal detection), mobile auto-connect risks, and how many attack surfaces still go overlooked in the real world. Some even shared stories of similar setups they’d tested in the past or ideas to collaborate and expand the project.
In short: the feedback was overwhelmingly positive, and the vibe was exactly what you’d expect from a hacker con : mutual respect, curiosity, and just the right dose of mischief.
6. Conclusion – Mission Complete
Even hackers can get caught. The karma attack still seems effective with a significant attack surface in 2025.
That was one of the biggest takeaways from this experience. No matter how technical or paranoid we are, our devices still carry trust, especially when it comes to remembered networks and background connections we rarely think about. When a Karma attack is well-crafted, with realistic SSIDs and a controlled setup, even the most seasoned professionals might find themselves momentarily fooled.
The Evil-M5project rig worked as intended: it sparked conversations, raised awareness, and reminded everyone that public Wi-Fi is still a threat vector in 2025. No fancy 0-days required just a bit of creativity, preparation, and understanding of how modern devices behave.
It also reinforced a few key lessons:
- Don’t trust public Wi-Fi just because you’ve seen the name before.
- Know how your OS handles captive portals (not all systems behave the same).
- Check if your device scream the name of know SSID.
- Linux may protect against popups, but it won’t prevent SSID-based fingerprinting or automatic reconnections.
- Awareness is everything and a playful demo can sometimes teach more than a long talk.
For me, LeHack 2025 wasn’t just about showing the devices, it was about sharing a mindset, engaging the community, and showing that offensive tooling can serve a defensive purpose, when used responsibly.
So yes, mission complete and already thinking about what to bring next year.
No zero-days, no exploits, just your phone doing exactly what it was told to.
Special thanks to all people who spends most of time with me, cross my road, exchange, been curious, give contacts, opened my mind to certain possibilities, I’m sure you’ll recognize yourself 💕
Special sorry to Virtualabs and Xilokar for the distrubance.
Laisser un commentaire