GiCP at RootedCon 2025

GiCP attended RootedCon 2025 – the information security conference held in Madrid on March 6–8. This event brings together most of Spain’s cybersecurity community in its various facets, offering thematic tracks based on areas of interest such as AI, DFIR, and OSINT, among others. The aim of the conference is to promote the exchange of knowledge among members of the security community.

GiCP actively contributes to the SafeHorizon project, collaborating with research entities, private companies, and LEAs across the European Union. Their main focus is on innovations in detecting and disrupting Crime-as-a-Service operations, particularly in areas such as monitoring transnational criminal networks, analysing cybercrime marketplaces, combating child sexual abuse and trafficking, and tackling Malware-as-a-Service. As a result, many of the conference talks were of great interest to members of our research group.

Among the sessions of interest for GiCP members, the following stand out:

• Game of Forums: This session showcased some of the peculiarities of the cybercrime ecosystem and its movement on Dark Web forums. It was presented by Ainoa Guillén, Gloria Jorge Lema, and Claudia Sánchez-Girón López.
• How to Get Rich with a QR Code. CVEs Found on a Bitcoin ATM: This talk explored the discovery and exploitation of vulnerabilities in a Bitcoin ATM—from exiting kiosk mode to how to use the QR code reader to carry out an attack from the terminal.
• Specializing in Malware Development? Heroes and Villains: Presented by Oscar Gallego Sendin, this session recounted the evolution of malware from the early days of computing, including activities carried out by the group 29A.
• Traffers: Where Two Steal, Three Get Infected: This presentation explained how traffickers operate and the sale of stolen credentials via cloud services, as well as their relationship with other cybercrime actors such as ransomware groups and Initial Access Brokers (IAB). Presented by Borja Rodriguez.
• When the Fire Burns You: Yolanda Corral discussed the importance of new forms of harassment and sexual cyberviolence, such as the non-consensual sharing of explicit content, the creation of nudity deepfakes, and their relation to CSAM.
• What Are AI Models Made Of? Risks Beyond Pickle: This talk addressed the possibility of being infected—particularly through the execution of malicious code—when running LLMs locally using Ollama, Hugging Face, or vLLM. Presented by Florencio Cano Gabarda.
• AI Agents in Reverse Engineering: This session covered how to perform reverse engineering using Radare and reasoning LLMs, thereby assisting the investigator and significantly improving outcomes. Presented by Javier and Alejandro Vidal.
• Round Table: Tebas and Football: A special mention goes to the roundtable discussion on how LaLiga is indiscriminately blocking legitimate websites and affecting net neutrality and users’ rights by imposing its economic interests. Speakers included Román Ramírez, Omar Benbouazza, Ofelia Tejerina, Tomás Ledo Guerrero, and Javier Maestre.
• Complex DFIR Acquisitions: The Devil Is in the Details: This presentation detailed practical cases common during a DFIR acquisition and how they required technical planning and overcoming obstacles in judicial, corporate, or industrial settings. Presented by Buenaventura Salcedo Santos-Olmo and Alejandro Chirivella Ciruelos.
• HUMINT Techniques Applied to Cybercrime Investigation: In this session, Javier Rodríguez and Daniel Villegas explained some of the human intelligence techniques used by both cybercriminals and investigators.
• SPY x Trust – Psychological Techniques of Persuasion and Manipulation Applied to Social Engineering: Raquel Ibáñez Lopez demonstrated techniques that once again show how the human factor is always the weakest link and how it can be exploited in social engineering attacks.

As noted above, many of the sessions were directly related to the areas of interest of the SafeHorizon project. This has allowed the GiCP attendees to reinforce and deepen their knowledge of the relevant topics they are working on, such as the identification and use of tools by threat actors, the correlation of cybercrime networks, the deanonymization of actors involved in the creation and dissemination of CSAM, the study of the ecosystem of forums used by cybercrime, among other topics of interest.

In addition to the sessions and knowledge sharing within the community, RootedCon also provided an opportunity to engage in meaningful conversations with some of the most active community members, as well as to build and maintain relationships with industry peers.

RootedCon 2025 proved to be a dynamic and influential gathering for cybersecurity professionals. The conference not only offered diverse technical insights and innovative approaches to modern challenges but also fostered valuable networking opportunities. Overall, the event significantly contributed to advancing knowledge and collaboration within the cybersecurity community.