No its more of an urban legend. I'm sure there's some hijinks going on but I doubt the hotels would tolerate any kind of large scale malicious activity especially with all the unrelated people staying at the hotel

DefCon sets up its own wifi networks, it doesn't use the hotel's wifi

Do you have sources for that? It’s unlike what many people who attend claim so I’d like to know what it’s based on.

I concur. While I bring a "burner" phone and laptop, it's more so I have a scratch system I can play / experiement on than any real fear that a sensibly configured device is going to get pwned. I used my real phone and laptop during Defcon 27 last week, too. I do have bluetooth off, and I made sure I had no filesharing enabled, and the latest patches, etc.)

I've been to about 10 defcons, and I've never had a device pwned that wasn't a spare device I was playing with.