Evil Twin WiFi: How Fake Networks Steal Your Data
A security researcher at DEF CON 2025 set up a fake WiFi network called "Starbucks_Free_WiFi" in a Las Vegas hotel lobby. Within 20 minutes, 87 devices had auto-connected. Within an hour, the researcher (who was conducting an authorized demonstration, not a real attack) had captured login credentials for email accounts, social media platforms, and a corporate VPN. Nobody noticed anything unusual.
An evil twin attack creates a rogue WiFi access point that mimics a legitimate network. Your device connects — often automatically — and routes all your internet traffic through the attacker's hardware. Everything you send and receive is visible to them.
How Evil Twin Attacks Work
Step 1: Clone a legitimate network. The attacker creates a WiFi network with the same name (SSID) and settings as a real one. In a coffee shop with a network called "CafeWiFi," the attacker creates a second "CafeWiFi." Most devices cannot distinguish between two networks with the same name.
Step 2: Overpower the real network. The attacker's hardware broadcasts a stronger signal than the legitimate access point, or they use a deauthentication attack to kick devices off the real network. Devices automatically reconnect to the strongest available network with a known SSID — the evil twin.
Step 3: Serve a captive portal. Many evil twins present a fake login page — mimicking the venue's WiFi login — that captures credentials. Some request an email and password "to access free WiFi." Victims who reuse passwords (most people do) hand over credentials that work on other accounts.
Step 4: Intercept traffic. Once connected, the attacker can monitor all unencrypted traffic, inject malicious content into web pages, redirect DNS queries to phishing sites, and perform SSL stripping to downgrade HTTPS connections to HTTP.
Think it might be a scam?
Paste it here for a free, instant verdict.
Free · No signup required · Cmd+Enter to scan
Where Evil Twin Attacks Happen
Any location with public WiFi is a potential attack surface:
Coffee shops and restaurants. Open networks with simple names ("CoffeeShop_WiFi") are trivial to clone. Customers expect free WiFi and connect without question.
Airports. Travelers desperately need connectivity and connect to anything available. Airport WiFi names are publicly known, making cloning easy. The attacker does not even need to be in the airport — they can be in the parking garage with a directional antenna.
Hotels. Hotel WiFi networks often use room number or last name authentication, which attackers can replicate. Business travelers accessing corporate resources on hotel WiFi are high-value targets.
Conferences and events. Large gatherings create dense WiFi environments where an extra network is invisible. Event WiFi credentials are often shared publicly, making cloning seamless.
What Attackers Can Capture
On an evil twin network, the attacker has access to:
Unencrypted web traffic. Any site you visit over HTTP (without HTTPS) is fully visible — including form submissions containing usernames and passwords.
DNS queries. Even with HTTPS, the attacker can see which domains you visit. They can also redirect DNS queries to serve phishing pages for any domain.
Email credentials. Email clients that connect without strict certificate validation may transmit credentials in cleartext or accept fraudulent certificates.
Session cookies. Intercepted session cookies allow attackers to hijack active sessions without needing your password.
"I set up an evil twin at a coworking space as part of a sanctioned penetration test. In four hours, I captured 14 email passwords, 6 Slack tokens, and 3 cloud storage sessions. Every single person told me afterward that they noticed nothing unusual." — Penetration tester interviewed for this article.
How to Protect Yourself
Use a VPN. Always. A VPN encrypts all traffic between your device and the VPN server, making it unreadable even on a compromised network. This is the single most effective defense against evil twin attacks.
Disable auto-connect. Configure your devices to ask before joining known networks. This prevents automatic connection to evil twins that match saved network names.
Forget public networks after use. Remove saved public WiFi networks from your device so they cannot be used as evil twin targets later.
Use cellular data when possible. Your phone's mobile data connection is dramatically harder to intercept than WiFi. For sensitive activities — banking, corporate email, password entry — use cellular data.
Verify the network. Ask an employee for the exact WiFi name and check for duplicates in your network list. If you see two networks with the same name, do not connect to either.
Watch for certificate warnings. If your browser warns about an invalid certificate on a familiar site while on public WiFi, disconnect immediately. This is a strong indicator of a man-in-the-middle attack.
Enable DNS over HTTPS. DoH encrypts your DNS queries, preventing the attacker from redirecting you to phishing sites even if they control the network.
If you received a suspicious captive portal page or login request on public WiFi, screenshot it and check it with IsThisAScam before entering any information.
Received something suspicious? Check it now for free →