Every year between Christmas and New Year’s, about 16,000 hackers, researchers, activists, and lawyers converge on a single convention center in Hamburg. They carry soldering irons, DECT handsets, and unpublished exploits. Over four days, roughly 165 curated talks land on stages alongside hundreds of community-run “assemblies.” Some of those talks have sparked parliamentary hearings, criminal investigations, and international lawsuits. Others have simply rewritten what a protocol or a fingerprint scanner is assumed to be able to do.
This is the Chaos Communication Congress, the annual gathering of the Chaos Computer Club (CCC) — a conference whose output reliably shapes European tech policy, cybersecurity research, and digital rights activism for the next twelve months. Unlike DEF CON or Black Hat, Congress is not a commercial event. It’s organized by volunteers, priced to be accessible, and just as interested in surveillance law, AI ethics, and fascism as it is in ring-0 exploits. That combination is the reason security researchers, lawmakers, and journalists pay attention to what happens there.
Where Congress Came From
The CCC was founded in Hamburg in 1981 by Wau Holland (Herwart Holland-Moritz) and Steffen Wernéry at a time when the West German postal monopoly, Deutsche Bundespost, criminalized the use of unapproved modems. The first Chaos Communication Congress followed in 1984 and drew roughly a hundred people. That same year, the club executed the hack that made it internationally famous.
In the night of 16–17 November 1984, Holland and Wernéry exploited a flaw in the Bundespost’s Bildschirmtext (BTX) videotex system — an overflow in the page-editor software that leaked cleartext data, including a Hamburger Sparkasse password. They wrote a 31-line BASIC program that repeatedly called a paid CCC BTX page from the bank’s account, accruing about 134,000 Deutsche Marks in fees overnight. The next morning they returned the money on public television and used the spectacle to demonstrate that BTX was not secure. The CCC had warned the Bundespost and data protection authorities about the flaw weeks earlier and been ignored.
That pattern — disclose, escalate, publicly humiliate, return the money, push for reform — has been the CCC’s playbook ever since. Congress is the stage where the year’s version of it is performed.
How Congress Actually Works
Congress runs 27–30 December each year at the Congress Center Hamburg (CCH). The most recent edition, 39C3, carried the theme “Power Cycles” — a play on rebooting computers and on the demolition of aging political orders. The 2024 edition, 38C3, was called “Illegal Instructions,” and 37C3 in 2023 ran under “Unlocked.” The theme frames the opening and closing ceremonies but isn’t a content filter; talks range from binary exploitation to prison communications to the philosophy of AI consciousness.
The stage program is curated across seven tracks: Security, Hardware, Science, Art & Beauty, Ethics, Society & Politics, and Entertainment. Roughly half the talks are in German with live English translation, and nearly all are live-streamed and archived at media.ccc.de within hours — a policy that makes Congress unusually useful for researchers who can’t travel to Hamburg.
The stage is only part of what’s happening. “Assemblies” are self-organized community spaces spread through the venue — topic-specific villages where people run workshops, small talks, and ad-hoc hardware projects. Volunteers, called “Angels,” run most of the infrastructure: the network, the help desks, the food, and a working DECT phone system with more than 5,600 extensions registered at 39C3. A long-running in-house pager network runs over amateur radio at 439.9875 MHz. Attendees don’t just consume Congress; they build it every year from scratch and tear it down on December 30.
Why Security Researchers Treat It as a Disclosure Venue
For defensive-minded readers, the single most useful thing to understand about Congress is that it functions as a disclosure venue. Researchers hold findings for the stage, often negotiating with vendors to align fix timelines with the schedule. Trail of Bits publicly discussed doing exactly this with its LeftoverLocals bug — a GPU memory-leakage vulnerability affecting AMD, Qualcomm, and Apple chips — which the firm had planned to present at 37C3 before delaying the release to January 16, 2024 to give vendors more remediation time.
Several research threads have spanned multiple Congresses in a row. Wouter Bokslag and Jos Wetzels presented reverse-engineering of the TETRA radio protocol — used by police, military, and critical infrastructure across Europe — at 37C3, and returned to 38C3 with analysis of TETRA algorithm set B (TEA5–TEA7). The 2023 disclosure revealed previously secret proprietary encryption and multiple vulnerabilities in what authorities worldwide had treated as a trusted standard.
At 39C3, Dennis Heinze and Frieder Steinmetz of the German firm ERNW demonstrated how an attacker in Bluetooth range of a victim’s wireless headphones could connect without pairing via Bluetooth Low Energy, dump the headphone firmware, manipulate it, and use that foothold to take over a WhatsApp account through the caller-verification flow. A live demo showed the attack reading the song a target was currently listening to, all without the user noticing.
Research at 39C3 also examined the cryptographic state of Chinese mobile apps, analyzing nine encryption protocols across the roughly 2,000 most-used applications on the Google Play and Xiaomi stores. The findings — about 47.6% of Xiaomi Store apps in the sample using proprietary, non-standard network cryptography in 2024, dropping roughly 9 points in a 2025 re-examination but still high — gave regulators and researchers concrete data on a problem long suspected but rarely quantified.
The Newag Train Case: How a Congress Talk Becomes a Legal Battle
The single clearest recent example of how a CCC disclosure reshapes a whole industry is the Polish-train DRM story, which has now spanned three Congresses.
At 37C3, three hackers from the Polish group Dragon Sector — Redford, q3k (Sergiusz Bazański), and MrTick (Jakub Stępniewicz) — presented “Breaking ‘DRM’ in Polish Trains.” The rail operator Koleje Dolnośląskie had bought 11 Impuls 45WE electric multiple units from Polish manufacturer Newag; when an independent shop, SPS, won a servicing tender over Newag, trains serviced by SPS mysteriously failed to start. Dragon Sector reverse-engineered the firmware across 30 trains and found that 24 contained what they characterized as malicious implants: GPS-geofenced lockouts keyed to competitor repair-shop coordinates, idle-time lockouts, serial-number checks on replaced parts, and composite private keys required to unlock affected trains.
At 38C3, the same researchers returned with “We’ve not been trained for this: life after the Newag DRM disclosure.” Newag had responded to the original disclosure by filing two civil lawsuits against Dragon Sector — one through its IP management subsidiary for alleged unfair competition and IP infringement, reportedly seeking up to €1.3 million, a public apology, and an order preventing further statements about the Impuls trains. Polish parliamentary workgroups, criminal investigations, and a TV documentary followed. The CCC set up a legal defense fund; by the end of 2024 it had received 330 contributions totaling €19,176.03. Polish regional operator Polregio reportedly paid Newag €23,000 per train to unlock locked vehicles, an operation that took Newag engineers about ten minutes each.
That is the compressed version of what Congress does: a three-person team presents technical findings, the manufacturer counter-attacks legally, the hacker community funds the defense, the story reaches national parliaments, and right-to-repair advocates gain concrete evidence that manufacturer-side parts-pairing and DRM is not theoretical.
The Political Half of Congress
Treating Congress purely as a technical event misses roughly half of what happens there. The CCC has been an advisory force in German and European digital policy for decades. Its members regularly testify before the Bundestag and act as expert witnesses for the German Federal Constitutional Court on surveillance, data retention, and encryption.
Two recurring threads define that work. The first is surveillance accountability. In March 2008 the CCC obtained Wolfgang Schäuble‘s fingerprint — the then-Interior Minister was the official pushing biometric e-passports — lifted it from a water glass, and published it on a film insert readers could use to defeat fingerprint readers. At 31C3 in 2014, Jan Krissler (Starbug) extended the attack by reconstructing Defense Minister Ursula von der Leyen‘s fingerprint from standard press-conference photographs using the commercial VeriFinger tool, demonstrating that high-resolution press images alone were sufficient. Starbug also published an iris-from-photo attack using images of Angela Merkel.
The second is government-malware oversight. In October 2011, the CCC published a reverse-engineering analysis of the German Staatstrojaner (“federal trojan”), a surveillance tool deployed on suspects’ computers. The analysis documented capabilities exceeding what the Federal Constitutional Court had authorized — screen capture, remote code execution, fetching arbitrary additional payloads — and substantial security failures, including unauthenticated unencrypted command-and-control and traffic routed through a U.S. proxy that placed data temporarily outside German jurisdiction. The findings were widely reported in the German press and forced a public debate about the legal limits of state malware.
At 39C3, political tracks included talks on the EU’s “Omnibus” reform package and its impact on a decade of digital-rights legislation, and on decentralized internet governance beyond American-dominated infrastructure. The closing talk at 38C3 — Return to legal constructions by Gabriela Bogk and Aline Blankertz — illustrates the venue’s standard mix: technical community framing its work in an explicitly legal-activist register.
How Congress Compares to DEF CON and Black Hat
Congress is Europe’s closest analog to DEF CON in scale and cultural weight, but the differences matter if you’re deciding whether to attend.
The practical takeaway: Black Hat is where security budgets get spent, DEF CON is where U.S. hacker culture convenes, and Congress is where research that has policy or legal consequences gets disclosed in front of an audience that includes the relevant regulators and lawyers. If you’re doing research that touches EU law — GDPR, the Cyber Resilience Act, AI Act, right-to-repair — Congress is where it lands hardest.
What It Feels Like to Attend
Tickets go on sale in the fall and sell out within hours. Attendees are expected to participate, not just consume: joining an assembly, signing up as an Angel, or running a lightning talk are treated as default behaviors. Photography of other attendees is strongly discouraged — a cultural norm rooted in the activist and political-dissident communities who rely on Congress being a safe space.
The venue runs its own full telephony infrastructure with DECT handsets, SIP, and even SIM support on the Congress network. Assemblies include a pager playground, a constantly-updated indoor navigation app (c3nav), and projects from retro-computing to hardware-hacking villages to Blinkenlights-style soldering workshops. Talks typically run from late morning until past midnight; after-hours is when most of the cross-pollination with other researchers actually happens.
For security professionals attending for the first time, two pieces of advice show up in every recap: prioritize the in-person experience over the livestreamed talks (you can watch them afterward), and accept that you will miss most of the program. There is no way to see all seven tracks simultaneously.
FAQ
Is Congress free? No, but it’s priced to be accessible — typically around €150 for the full four days, with reduced and supporter tiers. The pricing reflects the all-volunteer, non-profit model.
Are the talks in English or German? Roughly half are in German and half in English at recent editions. Live English translation is provided for most German talks. Video recordings with subtitles go up on media.ccc.de during or shortly after the Congress.
Do I need to be a hacker to attend? No. Congress explicitly welcomes activists, journalists, policy people, artists, and curious members of the public. The CCC’s own self-description frames it as a “galactic community of life forms” rather than a technical society, which is not entirely a joke.
How do I propose a talk? The Call for Participation opens in September each year on events.ccc.de. Talks are curated by track teams of volunteers. Congress is not pay-to-play — vendor and sponsor talks are essentially absent from the curated program.
The Significance
Most cybersecurity conferences are commercial events where vendors sell to enterprise security teams. Congress is something structurally different: an annual coordination point for a community that treats security research, civil-liberties activism, and open-infrastructure culture as the same project. That’s why disclosures there consistently produce parliamentary hearings, regulator investigations, and case law rather than just press coverage.
If you work in security and have never engaged with Congress — even just by watching the talk archive — you’re missing the venue where European digital-rights reality is argued out each year. The 40th edition, 40C3, is expected to return to Hamburg between Christmas and New Year 2026. Registration typically opens a few months ahead; the Call for Participation is already live for anyone with research worth disclosing.
