Zone 2 - S3

The mission of the Red Team Alliance is to advance the discipline of security by advancing the people in security.

RTA was formed in 2017 when two consultancies recognized the critical need for mature security training and certification that transcends the traditional "brain dump" style trainings found in hotel business centers and conference rooms. In 2025, RTA expanded its mission to serve the global security community, launching region-specific training programs tailored for Europe and Australia, addressing the unique regulatory environments and security challenges in these markets.

Operating from state-of-the-art facilities in Las Vegas, NV and Fredericksburg, VA, with new training partnerships across Europe and Australia, RTA develops comprehensive programs that expose students to real-world environments as they are deployed in the field through immersive hands-on exercises and labs. This natural learning approach not only improves skill retention but bolsters confidence in the field and promotes mission success.

Led by world-renowned instructors including Babak Javadi and Deviant Ollam, RTA offers flagship courses covering Covert Methods of Entry, Physical Access Control Systems, Physical Intrusion Detection Systems, Surveillance Dynamics, and more. RTA has become an essential training provider for organizations and government customers including the FBI, NSA, DARPA, and National Defense University, as well as European and Australian security agencies.

In addition to providing advanced, practical skills, RTA maintains an established certification program offering three progressive credentials: Covert Entry Associate (CEA), Covert Entry Professional (CEP), and Covert Entry Expert (CEE). These certifications validate proficiency and help security professionals stand out in the field.

Through this integrated approach, RTA has established itself as the definitive training resource for security professionals worldwide seeking to master modern physical and electronic security vulnerabilities.

Zone 2 - Workshop Rooms

Join us for a thrilling workshop where you’ll learn the basics of Windows malware analysis, OSINT and CTI, by extracting interesting information from a malware and using it to track down cybercriminals.

Ever wondered how people could make malicious binaries talk? Or how from a single string in a code an analyst could find its developer’s favorite music band? We bring you the best of two worlds, malware analysis and OSINT, in this introduction workshop.

By using some basic malware analysis techniques, you’ll be able to easily extract interesting information from a malware and its functionalities. With OSINT methods, you’ll find how to use the information found in the malware to pivot on data from websites, social networks, and media to extract hidden or forgotten information on your target.

With this 3 hours workshop targeting absolute beginners, you won’t become an expert in both fields, but you’ll have the opportunity to better understand how they work and discover how they can interact with each other.

Zone 2 - Worshop Room 3

Originally developed by MIT, Kerberos is widely used in Microsoft Active Directory environments. Therefore, this protocol is a prime target for exploitation, allowing privilege escalation as well as establishing persistence.

This workshop is designed for cybersecurity professionals who seek to deepen their understanding of Kerberos vulnerabilities and the sophisticated techniques used to exploit them. Participants will embark on a comprehensive journey on Kerberos exploitation, starting with the fundamentals of the protocol and moving swiftly into advanced attack strategies. The workshop will primarily cover:

- Abusing delegations
- Forging tickets (especially Diamond and Sapphire tickets)
- *-roasting (well-known variants as well as their newer versions, such as Kerberoasting without pre-authentication)

Throughout the workshop, participants will engage in hands-on labs to reinforce their learning. By the end of the session, attendees will possess a deep understanding of Kerberos exploitation techniques and practical knowledge to effectively conduct these attacks.
Join us to master the art of Kerberos exploitation and fortify your skills to always be Domain Admin on the first day of your pentest engagement

Requirements:
- Basic knowledge of Active Directory and Kerberos protocol
- A laptop with Exegol (https://exegol.readthedocs.io) pre-installed, with the latest nightly image already downloaded

Zone 2 - Workshop Rooms

This workshop introduces the fundamentals of investigating how cryptocurrency moves across wallets, smart-contracts, bridges, and exchanges. You'll learn how to follow transactions on-chain and apply OSINT techniques to extract context and potential control signals. Through hands-on examples, we’ll explore how to interpret what’s really happening behind the data in a decentralized, multi-chain ecosystem.

Zone 1 - Gaston Berger conference stage

In the past few years, we've tried our hand at Vulnerability Reward Programs of all kinds of mobile vendors’ products and attack surfaces. Like many others, we’ve encountered as many misses as hits, learning valuable lessons from the mistakes we (and sometimes the vendors) have made. In this talk, we will focus on the takeaways from all this. Some of it has got to do with how to and not to select an attack surface or a product model, how to decide what to give up on and what to double down on, and how to make the best use of the decisions that vendors communicate and the security updates they publish. To keep the content technical, we’ll go back to our vault of Android vulnerabilities and discuss some of our past VRP submissions in the context of lessons to take from them. 

Zone 1 - Gaston Berger conference stage

Let’s face it: The apocalypse is being debugged by idiots. Picture this: A state-sponsored hacker in a tracksuit hijacks a Modbus-connected dam in 1990s-era code. A disinfo bot army blames the resulting flood on “vegan energy policies.” Meanwhile, your smart thermostat becomes a pawn in a cyberwar over Arctic oil. Welcome to 2025, where climate action is getting hacked faster than your grandma’s Facebook. In this talk, we’ll explore: - APTs’ climate kill list: Energy grids, carbon capture labs, fusion reactors—all hacked via 1970s-era code. - Why Modbus is the cybersecurity equivalent of a flip phone—and why APTs love it. Geopolitical clown shows: - Russia’s “Dark Winter” playbook: How Sandworm hijacked Modbus to freeze European cities and spark a fossil fuel revival. - China’s “Silent Grid” ops: APT41’s attacks on solar farms and EV charging networks—and the shockingly simple Modbus flaws they exploited. - The Lazarus Greenwash: North Korea’s fake ESG ransomware targeting carbon credit markets. - Iran’s “Sandstorm”: Manipulating water treatment sensors to worsen droughts in rival nations. - Stupid human tricks: From AI-powered grid attacks to hacking disaster relief drones. - How to unf* the future**: Threat hunting for climate villains, securing OT systems with duct tape and hope, and why cyber hippies might save the world. You’ll walk away with: - APTs’ TTPs for OT attacks: From Modbus MITM to PLC bricking. - How to weaponize threat intel: Correlating geopolitical events with ICS vulnerabilities. - The Future of Climate Cyberwar: AI-Driven Attacks on Hydrogen Plants, Quantum Exploits, and Why COP30 Might Become a Hacker’s Playground (Hopefully Not!)

Zone 3 - Louis Armand Conference Room

The Baybridge study uses OSINT to build on previous research about a large-scale Chinese online influence operation. By digging into technical and Chinese online resources, the study aims to (1) comprehensively map the online infrastructure of the network, (2) present new evidence of possible state involvement, and (3) analyze content to reveal discursive strategies, targeting methods, and the implications of Russian stakeholders. These insights aim to improve understanding of this phenomenon and combat online information manipulation.

Zone 3 - Louis Armand Conference Room

Robert Sell has been a certified human tracker in his capacity as a Team Leader in Search and Rescue for over a decade. Trained by border services tracking teams and Canadian Special forces, Robert has spent countless hours as a three person tracking team searching for real persons in the Pacific North West. He applies the tracker skillsets to help people improve their Open Source Intelligence Operations. As the Founder of Trace Labs he has had the opportunity to see the OSINT strategy and techniques of thousands of investigators. He uses this knowledge to compare and show best practises from the tracking field to help OSINT investigators. Robert lowers the curtain on the skillsets and approach real trackers take. This includes everything from detecting state of mind to sign cutting concepts. This talk will allow you to see what was previously invisible to you.

Zone 3 - Louis Armand Conference Room

This talk presents an original investigation at the crossroads of OSINT and cybercrime: the analysis of stealer logs — not from victims, but from the cybercriminals themselves.
Infostealers are malware designed to exfiltrate sensitive data to Command-and-Control (C2) servers. However, our research reveals that due to negligence or lack of operational security, some threat actors end up falling victim to their own tools. By analyzing these “leaked” or compromised stealer logs, we’ve been able to profile a wide range of actors — from inexperienced users exposing their personal credentials, to advanced operators managing multiple malware campaigns simultaneously.
Through concrete case studies, we will demonstrate how OSINT techniques can be used to turn attackers’ tools against them, exposing their practices, mistakes, and even parts of their infrastructure. This talk offers a rare behind-the-scenes look at the infostealer ecosystem and highlights how intelligence gathering can reveal the human flaws behind cybercrime.

Zone 3 - Louis Armand Conference Room

In this talk, Marwan Ouarab, founder of Find My Scammer, reveals how open-source intelligence (OSINT) techniques helped him uncover the real identities behind a global romance scam in which fraudsters posed as Brad Pitt to deceive and extort victims worldwide. By tracing digital breadcrumbs, analyzing infrastructure, and pivoting through online identities, Marwan dismantled a network of scammers who operated with shocking coordination. This talk dives into the technical methods, investigative challenges, and the human stories at the heart of one of the most bizarre celebrity impersonation scams in recent years.

Zone 3 - Louis Armand Conference Room

We'll be running Tracelabs Search Party CTF live in Paris during leHACK! The event will be live from 17:00 to 21:00 Paris time and will be available only for in-person attendees. More details will come soon.Cost: FreeRegistration: To be definedWe need volunteer OSINT CoachMore information : https://docs.google.com/forms/d/e/1FAIpQLScKCb7108-BxouwkQv7SHGrCbztsxFTSey45QEd-tzyzSv31A/viewform

Zone 3 - Louis Armand Conference Room

Since the disappearance of Yevgeny Prigozhin in August 2023, the future of the Wagner PMC's digital influence operations—particularly in Africa—has raised many questions. Recent analyses suggest that these activities persist, though in a transformed manner, and now appear to be integrated into the Russian state’s broader informational influence strategy.

A key player in this new dynamic is African Initiative, a Russian news agency founded in Moscow in September 2023. It presents itself as an information bridge between Russia and Africa. Through its various channels, it disseminates pro-Russian and anti-Western content in multiple languages, including French.

This talk will detail the TTPs (Tactics, Techniques, and Procedures) of the “AI-Freak” modus operandi associated with African Initiative and will showcase several original OSINT pivots used in the investigation.

Zone 3 - Louis Armand Conference Room

The Federal intelligence service says in its annual report around 20% of Russian diplomats in Switzerland are spies. Is it possible to fact-check that using open source information or leaks ? Using the sources we found, we will try to explain our research strategy, the tools we used and who knows, find some guys or interesting profiles.

Zone 3 - Louis Armand Conference Room

Bread & butter of defence OSINT, OSINT goes to war in the Black Sea, the risks of revealing sources, and deception & countering OSINT

Zone 3 - Louis Armand Conference Room

This talk discusses web scraping techniques for the Chinese internet, covering sources like social media and official government websites. It highlights that, contrary to popular belief, China's political processes do not need to be a black box. Millions of government documents can be found online that can illuminate developments in the country, sometimes even on sensitive affairs. Web scraping techniques can help pry open this black box and help see the forest for the trees. Yet, the talk also focuses on how extensive challenges remain, ranging from geo-blocking to "real-name registration".

Zone 3 - Louis Armand Conference Room

Criminals want to own their villa on french riviera or their apartment in Dubai. No need to have police powers to find out where they invest their money. It only takes some open data and OSINT technics for journalists to follow the money. This talk covers how journalists from Le Monde investigate russian oligarchs, drug traffickers and other kleptocrats real estate assets, and why open source is so important.

Zone 2 - Workshop Rooms

This workshop introduces the fundamentals of investigating how cryptocurrency moves across wallets, smart-contracts, bridges, and exchanges. You'll learn how to follow transactions on-chain and apply OSINT techniques to extract context and potential control signals. Through hands-on examples, we’ll explore how to interpret what’s really happening behind the data in a decentralized, multi-chain ecosystem.