We Had to Ban 65 Teams to Get a Top 10 Leaderboard
A post-mortem on cheating, AI slop, the slow death of competitive CTFs, and a short analysis on the pitfalls of CTF challenge design.
official BYUCTF 2026 participation certificate (self-issued)
Every year we hand out the same participation cert. Made it in MS Paint in 2024. Just felt like a waste to not reuse it.
This year marks the third year I’ve been helping run BYUCTF and the BYU Cyberia CTF team. Over the last few years, I’ve built dozens of challenges, hosted 10+ CTFs, and competed in dozens more both alone and as part of BYU Cyberia. I’ve written most of the OSINT challenges for BYUCTF during that time, which means I get to enjoy watching people crash out over things I built. It’s great.
Unfortunately, hosting large international CTFs can occasionally come with issues. Sometimes your challenges suck, or your platform is buggy, but this year our main problem was with the people participating.
The CTF cheating epidemic
That title might be a little doomer and definitely clickbait, but I am nothing if not willing to exaggerate for dramatic effect.
In BYUCTF25, the number of teams we disqualified for cheating was very small. Maybe we just weren’t looking, who knows. In BYUCTF26, the number of teams we disqualified for cheating was enough that we had to delay releasing a scoreboard for days after the competition had ended.
Before the CTF started, I assumed we would ban maybe 5-7 teams from the top 25 for cheating. I secretly hoped we would get 10-15 of the top 25, as that would make for a way better blog post.
Unfortunately, we were not able to get a real top 25 at all. We stopped at the top 10, because we had to ban 65 teams for cheating before we had a top 10 leaderboard of clean teams. 65 teams. We banned the first 21 teams for cheating, then another 7 after that before we had made it to two good teams.
A short disclaimer before we get into it
All of the organizers of BYUCTF collectively decided not to publicize the list of teams we banned. While there were definitely teams that were just straight up cheating, the vast majority of teams we banned were banned for the actions of a single member. In most cases, the rest of the team was competing honorably, so we didn’t feel it was fair to publicly shame the entire team for that.
That being said, if you are an organizer for a large, public CTF, you are welcome to reach out to me by email and get some more information about some of the teams we banned for actual cheating (flag sharing, multiple accounts, etc.) You can reach me at .
The problem with AI in the world of CTFs
Over the course of the last year, many popular AI companies have made aggressive pushes into the CTF space. At first, I think many of us assumed that there would be nothing of substance, and it would die out. Unfortunately, I was wrong. AI has gotten very good at solving a lot of CTF challenges.
Now, you might think this is because AI is just smarter than everyone, and that’s that, but I actually believe that it is because the vast majority of CTF challenges involve looking at code. AI is great at looking at a lot of code very quickly. A website that might take a human 20 minutes to parse through can be done in seconds by a sufficiently powerful AI agent. A binary that might take a human hours to decompile, learn, discover the vulnerability, and trial-and-error their way to a payload can be done by an AI agent in just a few minutes. In my opinion, it has nothing to do with the intelligence of the AI itself, but rather than CTF challenges have largely been written the same way for basically forever.
Web challenges are still just a website or web system. Reverse Engineering challenges are still just parsing through code (either statically or dynamically). Binary Exploitation challenges are still just rev challenges but you have to be single.
Even less popular topics like Cryptography or Digital Forensics are able to be solved in minutes by a good AI agent. Popular “find the paper” type challenges are rendered completely useless against AI agents, as they can just find the right paper immediately.
There is one (kinda) exception to this trend (kinda), and that is OSINT (kinda).
Now, I’m not gonna spend a lot of time talking about the teams we banned for using AI. We at BYUCTF decided long ago that we wanted to host a 100% AI-free CTF. No AI usage to solve challenge. If you pointed any kind of agent at the platform, gave a challenge file to ChatGPT, or anything that solved a challenge for you, that was not allowed. In many cases, it was pretty hard to prove AI usage. That was generally left to smarter people than me who knew their challenges and what was or wasn’t possible.
What I will spend time talking about are the teams that were banned for non-AI related reasons. By far the most common form of cheating we detected was using a second team on our CTFd platform to get around submission limits in OSINT challenges.
A quick side note
Because of the nature of OSINT challenges, sometimes we choose to put a maximum number of attempts on a challenge. Take a challenge like:
Find the name of the middle school I went to as a child
This challenge is easy, because if you know what city I grew up in there are literally only 4-5 possible answers. You could just brute force the solution on the platform, and move on. In this scenario, I would choose to give a maximum of two attempts to every team. One to cover spelling mistakes, and one to redeem themselves. If you use your two attempts, you are just cooked I guess.
Back to cheating
What we found, was that a surprising number of teams had members who were accessing multiple teams at the same time, and using those alternate teams to brute force many of the OSINT challenges. Now, a smart team knows that its really not that hard to hide that. Just use a different IP address to make and access the second team, solve the challenges, then wait a while before entering the flags on your main team account. Fortunately for us, most CTF teams are genuinely morons.
The number of teams that just clearly cheated with a second (or third or more) team was crazy. We had everything from teams accidentally using the same email accounts to register both teams, to teams submitting literally every single OSINT flag within 10 seconds of the second team solving each, to things like a guy accidentally submitting a ticket for another team after telling us he was a member of a different team before. My favorite interaction though, was this one. I’ve redacted their name for privacy, but it was pretty funny.
Now, multiple accounts is obviously cheating, but what I thought was even crazier was flag sharing between some of the top ranked teams on CTFtime. I won’t say which teams (well, maybe I will, but you might have to convince me), but both teams are in the top page in the world on CTFtime right now. That’s all I’m gonna say. One of the teams is the top ranked in their country, and when confronted about it, they lied to us, changed the name of their team three times, and even tried to delete their team.
You might be wondering, “how did you know they were flag sharing?”
I will talk about the OSINT challenges I wrote in the next few sections, but to give you some pre-emptive context (there should be a word for that…), some of the challenges I wrote for this year were part of a “series”. In this series, you had to solve certain challenges in a certain order. The second OSINT challenge in one of these series relied on information gathered in the first challenge. In fact, to unlock the ability to interact with and solve the challenge, you had to have solved the first. Only after solving the first challenge would the ability to see the second challenge happen. Well this team didn’t know that I guess, and attempted to submit the flag for the second challenge in the box for the first. When I asked them about where they got the flag, they immediately folded and said they had gotten it from another team, but that they didn’t know who it was.
Even crazier though, was that one of the flag-sharing teams was essentially a splinter group. Some members of a top-10-in-the-world team didn’t make the cut for the main roster, so they competed separately. The main team got banned for AI usage. The splinter team got banned for flag sharing with another top global team. Then, after getting banned, the splinter team decided to brag to us about how they had used AI, and casually mentioned that the main team (again, top 10 in the world) had been using AI the whole time too. I have a screenshot of this. I’m not gonna post it, but it’s insane.
OSINT, but the part where I talk about internet privacy and trick you
Anyone who has played BYUCTF in the last two years will probably be very familiar with the name Cameron Snider . That is me, if you can’t guess.
Last year, I really wanted to write some OSINT challenges about tracking a real person’s past online. Unfortunately, it’s basically impossible to convince someone to let thousands of random hackers look deep into their online activity. As such, I chose myself as the subject, and wrote a few challenges about my past. It was really fun watching people dig up stuff that even I didn’t realize was out there, but it also led to some of the most interesting thoughts about internet privacy I’ve had the pleasure of thinking about.
One of the most common questions I got from participants (and non-participants, as it has come up in a job interview now), is something along the lines of “isn’t it scary to let people find that kinda stuff about you?”. It’s an interesting question to me, because it implies that the information in question was not already publicly available for anyone on the internet to find. Just because I wrote a CTF challenge about it and put a target on myself doesn’t mean that that information suddenly appeared. It doesn’t mean that it wouldn’t be out there had I not ran the challenges. That information is public whether I wanted it to be or not. The things I didn’t even know were out there, were public.
Think about yourself for a moment. I am a 23 year old college student. I’ve generally been somewhat careful about what information I give out online, and even I had a few things out on the internet that made me mildly uncomfortable. Think about you for a moment. Due to the nature of this blog, many of the people reading this are probably not too far away from me in terms of security and privacy, but even if you think you are safe online, there is data about you everywhere. That is the world we live in today. Every piece of information you give to a company or corporation has been packaged and sold for literal cents. Every social media post. Every picture of you. Every mention of your name. Its all out there.
Running OSINT challenges about myself honestly made me feel way better. I realized that most of the easily accessible data about me was pretty tame, and only a sufficiently motivated person could really hurt me. That being said, a sufficiently motivated person could REALLY hurt me. Or you. Or anyone.
If you are a sufficiently motivated person, please don’t hack me. I have no money, and you will likely be disappointed.
Why is OSINT (kinda) safe from AI agents?
Ok, so we talked about the drama of CTFs, but now I want to share some of my ideas for writing challenges this year.
OSINT as a category involves using publicly available (and often free) information to learn about a person, place, or thing. In the context of CTFs, OSINT challenges generally fall into one of three categories.
- Find the Social Media
- Geoguessr
- Find the Random Archive
AI is pretty good at solving any of these challenges, but where AI struggles is in deep logic and reasoning. While writing challenges for BYUCTF26, I chose to have both ChatGPT and Claude help me playtest my OSINT challenges. The goal was to see if they were easily slopable or not. I was kinda surprised to see that neither Chat nor Claude could reliably solve what I had made.
My challenges were each different. First, there was a series made as an extension from last year, where participants had to find information about me from my childhood. In my experience, commercial AI agents were not very willing to dig deep into my past as it violated some internal rule about not researching a real child.
Second, there was a challenge that involved finding a social media account, and pivoting from there to find flight data about an airplane, ending in finding a google review of an Olive Garden. What was interesting about this challenge, was that AI would frequently get stuck on an unintentional red herring. The social media account in question had a number of posts, but the intended post was the one that revealed the tail number of the plane you needed to research. On that same account however, was an AI generated image of the inside of a fake Olive Garden restaurant. 9/10 times, the agent in question would find the right account, but then waste time and tokens trying to figure out where that image was taken. In reality, pressing a single button brought you to the right picture.
It brought up an interesting concept about AI, which is that it still isn’t very good at complex reasoning. A normal human would look at all the images first. An AI would get stuck trying to solve what it believed was the right challenge. This tripped up A LOT of teams, which made me feel like many teams were probably using AI.
Finally, the last OSINT challenge involved taking everything you had learned about the fake person in the last challenge, and interacting with an AI chatbot pretending to be them. This is less of an OSINT challenge, but I run the CTF so I get to decide where challenges go. This was another challenge that really tripped up AI, as most agents would be unable to interact with the chatbot in question. They just didn’t understand how to do it. Having to send a message, then wait for a response, and send another message was just too hard.
It brought up an equally interesting question about the nature of stateful interaction in the AI world. At this point, AI agents are still largely unable to interact with something that is stateful, and requires any real amount of waiting. The AI either doesn’t wait long enough, or ends up waiting way too long. Either way, its burning tokens the whole time. In the case of my chatbot challenge, most agents I tested would send in an initial first message, but then get caught up trying to read and respond.
A second positive byproduct is that the agents I tested would literally just refuse to try and jailbreak the chatbot in any way. They would only interact the intended way (actually chatting with it), but even then I found that they would get caught in these loops of trying to push too aggressively. When I wrote the instructions for the chatbot, I specifically mentioned that I wanted it to have to build up enough trust in the other person first. The agents I tested were not patient enough to not immediately start pushing the chatbot for information. Once you do that (even once), the chatbot shuts down and will refuse to move forward. The AI agents playtesting didn’t have the ability to understand why that was happening, and I watched Claude churn for like 30 minutes trying to get the flag.
These OSINT challenges this year really stopped a lot of teams from slopping their way through the entire CTF. Many of the teams we disqualified for AI usage solved everything except the last two challenges I mentioned. At some point, I will write more about this, but I’ve already taken up a lot of your time.
Why does any of this matter?
If you look around at post-mortem writeups from other CTF organizers out there, it doesn’t take long to realize that the CTF space is being invaded with a massive amount of AI slop. Teams that could barely get on their country’s leaderboard last year are randomly topping the global rankings this year. Real teams that compete honorably are being punished for not also slopping their way through CTFs.
It’s really disheartening to see the competition I’ve grown to love over the last few years devolve into a contest to see who can cheat their way to the top. CTFs used to be a great way to learn new things in the world of cybersecurity, but the competitive aspect of CTFs is dying.
Why do I think this happens as much as it does?
One pattern that I immediately noticed was that the vast majority of teams we caught cheating were from South and West Asia, and the Middle East.
Now, I do want to be careful here. This isn’t about race in any way. Its not about intelligence, or skill, or character. Its more structural than personal.
In much of South Asia, West Asia, and the Middle East, the tech job market is brutally competitive. The ratio of qualified graduates to good opportunities is far worse than it is in the western world. The hiring pipelines rely much more on formal credentials than on a person’s portfolio or reputation. A certificate from a recognized competition is essentially worthless on an American resume unless you place very well. That same certificate is worth a lot more in those regions of the world, regardless of how you placed. That cultural pressure is genuine, and it produces a culture where the credential itself become the goal, rather than the actual skill it’s supposed to represent.
That context explains the pattern I noticed. It does not excuse it.
Cheating in a CTF isn’t a victimless crime. It poisons the competition for the teams who put in genuine work, degrades the value of the credential for everyone who earned it honestly, and it doesn’t even work. You can’t fake your way through a technical interview on the back of a fraudulent CTF placement. The pressure that drives people to cheat is understandable. The choice to cheat is still their own. Regardless of my understanding, I hold a zero tolerance policy for cheating in CTFs. I don’t care if what you did didn’t even make that much of a difference. If I find out you have cheated in a CTF I am running, you will be immediately banned from the event.
What I want to say to CTF organizers is this: the incentive structures that drive this behavior are not going away. The pressure that produces it is structural and global and will outlast any individual event. You cannot solve it. What you can do is make the cost of cheating real and consistent. Adopt a zero-tolerance policy. Make it visible. If you catch a team breaking any rule in any way, ban them and be clear that that’s what you do. It won’t stop everyone. It will stop some people, and it will protect the experience for the teams who showed up to actually compete.
To players from these regions who don’t cheat, genuinely, good on you. You’re competing in a harder environment than most, and you’re doing it honestly. That matters.
To players who do cheat, it doesn’t work the way you think it does. You cannot fake your way through a technical interview on the back of a fraudulent CTF placement. The credential you’re manufacturing is hollow, and the only person it deceives long-term is you. The pressure you’re under is real. The choice is still yours.
CTFs used to be one of the best ways to actually learn something in cybersecurity. The competitive side of that is getting harder to protect. For the sake of the people who still show up to learn, please don’t ruin it.
But what about the people who aren’t from those regions?
Even if you aren’t from that part of the world, there are many reasons that a person might choose to cheat. Every person is constantly under some amount of pressure. That is just how the world is. In the world of tech, a lot of young people have been experiencing a world surrounded by uncertainty and fearmongering. College students have been told their degrees are going to end up being worthless because of AI. Businesses are laying off employees at record rates. This is not the place to evaluate that, but it does create a pressure to perform.
When any person is put under a sufficient level of pressure, it causes them to do things they know are wrong but believe are necessary to survive. I can understand that.
Think about it this way though. Cybersecurity might just make the list for the top 10 careers where your employer REALLY needs to know they can trust you. The level of access and power cybersecurity professionals are given is often much higher than others. As such, developing a portfolio with honesty as one of your central focuses is not just important. It is one of the key features that helps you build that career. When you cheat in a CTF, you indicate to everyone that you are not a trustworthy person. Obviously I’m not in charge of hiring anyone, but I know the names of some of the people who cheated in BYUCTF26, and I will likely remember those. 10 years down the line, the last thing you want is some manager recognizing your name or a list of accomplishments and saying “Wait, I remember this guy. He blatantly cheated in a CTF I ran in college. I shouldn’t hire this guy.”
Regardless of what your reasons are, there is no excuse for cheating. The decision is always yours.
Moving forward
Next year will be my last helping out with BYUCTF. I’m excited to see how BYUCTF27 shapes up. As such, I (and all the other smart people we have) will be constantly monitoring the CTF scene over the next year. I highly doubt that anything will improve, but I’m hoping that things do. We were honestly pretty tame in our monitoring of cheating this year, but we had some ideas of varying levels of good and bad:
- Log the IP address when a hosted challenge is solved and then when that same IP submits a flag.
- Web challenges that force you to do captchas to do anything.
- Fake challenges on CTFd that are like hidden by CSS? You only see them if you scrape ctfd for challenges, not if you just play normally.
- You have to solve an audio forensics challenge before you can submit any flag.
- BYUCTF 2027 being only steg would be a good bit
Those might give you some ideas for catching cheaters in your own CTF.
As always, if you want to let me know your thoughts on the matter, or think I’m a stupid moron and deserve to die, you can contact me by email at .