Four South Korean journalists were booted from the Defcon hacking conference this week after conference organizers decided their story didn't quite add up.
Conference representatives released few details of the incident. They said Sunday that they'd ejected the journalists two days earlier after deciding that they simply weren't acting like press.
They believe that one member of the group was a legitimate journalist, but that the other three were on some sort of intelligence-gathering expedition.
Hackers who the group interviewed at the show said that their questions seemed inappropriate, organizers said. The journalists attended one day of Defcon's Black Hat sister conference before being ejected on Friday.
Defcon did not release the names of the journalists or say who they claimed to work for.
This kind of incident happens nearly every year, said one of the show's senior organizers who goes by the name "Priest."
In the past, they say they've caught members of Mossad, the French Foreign Legion, and other organizations posing as press. By registering as journalists, they can get more time to query researchers and raise no suspicions by asking probing questions.
"When you think about it, being a member of the press is a pretty good cover because you can ask difficult questions, people love to see their names in print and in lights, so they're much more likely to talk to you, so you can get away with a lot more," Priest said.
The French Legionnaires were easy to spot, he said.
"There's a certain body type you find with people who are in that type of work," he said. "Broad shoulders, narrow waist, not very tall. I'm looking at these guys, going, 'You're in far, far too good shape to be press.'"
The Legionnaires eventually admitted that they were not press and were allowed to stay at the show as regular attendees. They even went on stage for Defcon's annual "spot the fed" contest where people are invited to pick out government employees from a group of attendees.
Government employees posing as press often move very quickly to technical questions, rarely showing any interest in the motivation behind the research. They get "very technical very quickly," Priest said.
"They're much more interested in what the latest is and what the greatest is and how they can use it."
Often they also ask about U.S. government systems or seem to be gathering intelligence on the presenters, he added.
And often attendees are happy to provide the information, thinking that it may be used in an article, particularly young, inexperienced hackers, Priest said.
"You've got usually a very introverted individual, who usually doesn't have a lot of friends, and if you have someone paying attention to you... you're flattered; you're ego's being stroked; you're much more likely to try to impress that person."