January 5th 2012
Users browsing 4chan's /x/ board were greeted with a mysterious image, unlike much else really seen on that board. It displayed the following message in simple, white-on-black font:
There is a message hidden in this image. Find it and it will lead you on the road to finding us. We look forward to meeting the few who will make it all the way through. Good Luck. 3301
There was almost nobody browsing /x/ at that time who did not notice it. Many initially thought it was another ARG, some thought it was an NSA recruitment program, and to this day few know where the rabbit hole leads to, and those that do have disappeared from the internet and have not told anybody else any more than they fear to let on.
If it sounds like a scary story, that's because it is.
Welcome to the world of Cicada.
Because the message mentioned that he had a message inside, solvers were quick to try different methods to find it. The most common use was to initially open the image file into a text editing application, which allows users to read a dump of the bytes in the image. This produced the following text at the end of VS CLAVDIVS CAESAR says "lxxt> 33m2mqkyv2gsq3q = w] O2ntk"
This was quickly found to be a Caesar cipher, hence the reference, and the deciphered text was obviously a URL, judging by the first 5 symbols is clearly a single letter followed letter, another single letter and a piece of punctuation.
Decrypting this cipher led to the discovery of the following image file:This image file was a difficult clue to follow, but solvers soon realised that it meant that the program OutGuess had to be used (hence the words guess and out).
In its simplest form, OutGuess is a steganography program designed to hide messages within images. More on OutGuess can be found at its very own wiki page.
Opening the image in OutGuess led to the following message (concatenated to fit better formatting. The original text can be found here ):
Here is a book code. To find the book, and more information, go to http://www.reddit.com/r/a2e7j6ic78h0j/ 1:20, 2:3, 3:5, 4:20, 5:5, 6:53, 7:1, 8:8, 9:2, 10:4, 11:8, 12:4, 13:13, 14:4, 15:8, 16:4, 17:5, 18:14, 19:7, 20:31, 21:12, 22:36, 23:2, 24:3, 25:5, 26:65, 27:5, 28:1, 29:2, 30:18, 31:32, 32:10, 33:3, 34:25, 35:10, 36:7, 37:20, 38:10, 39:32, 40:4, 41:40, 42:11, 43:9, 44:13, 45:6, 46:3, 47:5, 48:43, 49:17, 50:13, 51:4, 52:2, 53:18, 54:4, 55:6, 56:4, 57:24, 58:64, 59:5, 60:37, 61:60, 62:12, 63:6, 64:8, 65:5, 66:18, 67:45, 68:10, 69:2, 70:17, 71:9, 72:20, 73:2, 74:34, 75:13, 76:21 Good luck. 3301
The subreddit in question can be found here .
The subreddit contained lots of different text posts and two images, Welcome and Problems.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - From here on out, we will cryptographically sign all messages with this key. It is available on the mit keyservers. Key ID 7A35090F, as posted in a2e7j6ic78h0j. Patience is a virtue. Good luck. 3301 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJPBRz7AAoJEBgfAeV6NQkP1UIQALFcO8DyZkecTK5pAIcGez7k ewjGBoCfjfO2NlRROuQm5CteXiH3Te5G+5ebsdRmGWVcah8QzN4UjxpKcTQRPB9e /ehVI5BiBJq8GlOnaSRZpzsYobwKH6Jy6haAr3kPFK1lOXXyHSiNnQbydGw9BFRI fSr//DY86BUILE8sGJR6FA8Vzjiifcv6mmXkk3ICrT8z0qY7m/wFOYjgiSohvYpg x5biG6TBwxfmXQOaITdO5rO8+4mtLnP//qN7E9zjTYj4Z4gBhdf6hPSuOqjh1s+6 /C6IehRChpx8gwpdhIlNf1coz/ZiggPiqdj75Tyqg88lEr66fVVB2d7PGObSyYSp HJl8llrt8Gnk1UaZUS6/eCjnBniV/BLfZPVD2VFKH2Vvvty8sL+S8hCxsuLCjydh skpshcjMVV9xPIEYzwSEaqBq0ZMdNFEPxJzC0XISlWSfxROm85r3NYvbrx9lwVbP mUpLKFn8ZcMbf7UX18frgOtujmqqUvDQ2dQhmCUywPdtsKHFLc1xIqdrnRWUS3CD eejUzGYDB5lSflujTjLPgGvtlCBW5ap00cfIHUZPOzmJWoEzgFgdNc9iIkcUUlke e2WbYwCCuwSlLsdQRMA//PJN+a1h2ZMSzzMbZsr/YXQDUWvEaYI8MckmXEkZmDoA RL0xkbHEFVGBmoMPVzeC =fRcg -----END PGP SIGNATURE-----
and Problems' was this:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The key has always been right in front of your eyes. This isn't the quest for the Holy Grail. Stop making it more difficult than it is. Good luck. 3301 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJPCBl3AAoJEBgfAeV6NQkPo6EQAKghp7ZKYxmsYM96iNQu5GZV fbjUHsEL164ZLctGkgZx2H1HyYFEc6FGvcfzqs43vV/IzN4mK0SMy2qFPfjuG2JJ tv3x2QfHMM3M2+dwX30bUD12UorMZNrLo8HjTpanYD9hL8WglbSIBJhnLE5CPlUS BZRSx0yh1U+wbnlTQBxQI0xLkPIz+xCMBwSKl5BaCb006z43/HJt7NwynqWXJmVV KScmkpFC3ISEBcYKhHHWv1IPQnFqMdW4dExXdRqWuwCshXpGXwDoOXfKVp5NW7Ix 9kCyfC7XC4iWXymGgd+/h4ccFFVm+WWOczOq/zeME+0vJhJqvj+fN2MZtvckpZbc CMfLjn1z4w4d7mkbEpVjgVIU8/+KClNFPSf4asqjBKdrcCEMAl80vZorElG6OVIH aLV4XwqiSu0LEF1ESCqbxkEmqp7U7CHl2VW6qv0h0Gxy+/UT0W1NoLJTzLBFiOzy QIqqpgVg0dAFs74SlIf3oUTxt6IUpQX5+uo8kszMHTJQRP7K22/A3cc/VS/2Ydg4 o6OfN54Wcq+8IMZxEx+vxtmRJCUROVpHTTQ5unmyG9zQATxn8byD9Us070FAg6/v jGjo1VVUxn6HX9HKxdx4wYGMP5grmD8k4jQdF1Z7GtbcqzDsxP65XCaOYmray1Jy FG5OlgFyOflmjBXHsNad =SqLP -----END PGP SIGNATURE-----
Both of them were signed with PGP signatures, which are basically a completely secure method of ensuring that the message has come from the confirmed sender. You can learn more about GnuPG (a free version of PGP) at it's own wiki page.
You can download Cicada's GPG key straight from the MIT Keyserver (remember to always check the signature and data against the one available from MIT).
In the header of the subreddit, here, there was the following string given:
(The number sequence that is written using mayan numbers is as follows: 10 2 14 7 19 6 18 12 7 8 17 0 19
Comparing this with the a2e7j6ic78h0j7eiejd0120 in the title, we can see that numbers below 10 in the sequence above is also found in this string, at the same positions. Also note that instead of 10 we have “a”, instead of 14 we have “e”, and so on up to “j” being 19. Since the title of the page contains 23 characters and there were only 13 mayan numbers is is quite likely that we are supposed to continue converting characters from the title to numbers.)
10, 2, 14, 7, 19, 6, 18, 12, 7, 8, 17, 0, 19, 7, 14, 18, 14, 19, 13, 0, 1, 2, 0
Later was found that key was derived from King Arthur text. Translate each digit to a letter (from alphabet starting with A = 0) and you get kcohtgsmhirathotnabca. Each letter is first letter in lines of decrypted text.
This was the 'key' that Problems mentioned, being the code to the shift cipher to be applied to the lines of text in the subreddit. If this is confusing, it basically means that each letter in each string was meant to be shifted by the number corresponding to it's location in the text. This produced the following story (not complete).
The code in the original message, as mentioned to be a book code, was applied here. If you're not familiar with book codes, the first number is the line, and the second number is the character in that line. Applying the book code to the text with the full stops removed gave the following string of text:
Call us at us tele phone numBer two one four three nine oh nine six oh eight
This was obviously a telephone number, specifically 2143909608 (Clickable and callable on a phone). This number has since deactivated. Calling this number initially gave the following message:
Very good. You have done well. There are three prime numbers associated with the original final.jpg image. 3301 is one of them. You will have to find the other two. Multiply all three of these numbers together and add a .com to find the next step. Good luck. Goodbye.
The original image had the dimensions of 509 and 503, both of which are prime numbers. These were multiplied with 3301 to equal 845145127, which gave us http://845145127.com . Note that 845145127 is also in brackets in the GPG key's name.
Bckup of page: http://net-netz-blog.de/845145127.htm
Going to this website led to an image of a cicada and a countdown. Using OutGuess on the image produced the following message:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You have done well to come this far. Patience is a virtue. Check back at 17:00 on Monday, 9 January 2012 UTC. 3301 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJPCKDUAAoJEBgfAeV6NQkPf9kP/19tbTFEy+ol/vaSJ97A549+ E713DyFAuxJMh2AY2y5ksiqDRJdACBdvVNJqlaKHKTfihiYW75VHb+RuAbMhM2nN C78eh+xd6c4UCwpQ9vSU4i1Jzn6+T74pMKkhyssaHhQWfPs8K7eKQxOJzSjpDFCS FG7oHx6doPEk/xgLaJRCt/IJjNCZ9l2kYinmOm7c0QdRqJ+VbV7Px41tP1dITQIH /+JnETExUzWbE9fMf/eJl/zACF+gYii7d9ZdU8RHGi14jA2pRjc7SQArwqJOIyKQ IFrW7zuicCYYT/GDmVSyILM03VXkNyAMBhG90edm17sxliyS0pA06MeOCjhDGUIw QzBwsSZQJUsMJcXEUOpHPWrduP/zN5qHp/uUNNGj3vxLrnB+wcjhF8ZOiDF6zk7+ ZVkdjk8dAYQr62EsEpfxMT2dv5bJ0YBaQGZHyjTEYnkiukZiDfExQZM2/uqhYOj3 yK0J+kJNt7QvZQM2enMV7jbaLTfU3VZGqJ6TSPqsfeiuGyxtlGLgJvd6kmiZkBB8 Jj0Rgx/h9Tc4m9xnVQanaPqbGQN4vZF3kOp/jAN5YjsRfCDb7iGvuEcFh4oRgpaB 3D2/+Qo9i3+CdAq1LMeM4WgCcYj2K5mtL0QhpNoeJ/s0KzwnXA+mxBKoZ0S8dUX/ ZXCkbOLoMWCUfqBn8QkQ =zn1y -----END PGP SIGNATURE-----
And so the solvers waited. And waited. And waited. And finally, after what seemed like years, the website changed.
The Scary BitReapplying OutGuess on the cicada image produced a new message, containing co-ordinates, as well as two which were written on the website itself:
52.216802, 21.018334 48.85057059876962, 2.406892329454422 48.85030144151387,2.407538741827011 47.664196, -122.313301 47.637520, -122.346277 47.622993, -122.312576 37.5196666666667, 126.995 33.966808, -117.650488 29.909098706850486 -89.99312818050384 25.684702, -80.441289 21.584069, -158.104211 - -33.90281, 151.18421 36.0665472222222, -94.1726416666667 37.577070, 126.813122These returned locations across the globe, meaning that unless you had access to all these locations, you'd be forced to collaborate with other users, like the main IRC channel on n0v4. At each of these locations, brave solvers found a sheet of paper stuck to a telegraph pole, with a QR code and an image of a cicada.
It took a while for this to sink in with the community, that this wasn't just a talented neckbeard in a basement, that this was actually a global organisation of some very very talented people.
Upon scanning these QR codes 2 different messages were revealed. These are:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In twenty-nine volumes, knowledge was once contained. How many lines of the code remained when the Mabinogion paused? Go that far in from the beginning and find my first name. 1:29 6:46 the product of the first two primes 2:37 14:41 17:3 27:40 the first prime 2:33 1:1 7:45 17:29 21:31 12:17 the product of the first two primes 22:42 15:18 24:33 27:46 12:29 25:66 7:47 You've shared too much to this point. We want the best, not the followers. Thus, the first few there will receive the prize. Good luck. 3301 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJPB1luAAoJEBgfAeV6NQkP9oAP+gLu+FsRDf3aRcJtBkCOU2MX r/dagOTvCKWtuV+fedy0enWUZ+CbUjXOr98m9eq2z4iEGqKd3/MBXa+DM9f6YGUE jPum4wHtQDSJlZMazuYqJOVZGw5XmF25+9mRM6fe3H9RCiNDZpuXl3MzwdivYhcG B5hW14PcdHHteQf3eAUz+p+s06RDs+q1sNGa/rMQIx9QRe71EJwLMMkMfs81kfJC tCt21+8ud0Xup4tjUBwul7QCcH9bqKG7cnR1XWsDgdFP6a4x9Jl2/IUvp1cfeT7B YLS9W3lCM8thMemJr+ztQPZrpDlaLIitAT2L0B3f/k4co89v5X2I/toY8Z3Cdvoi hk0AdWzMy/XLDgkPnpEef/aFmnls53mqqe9xKAUQPMrI73hiJ+5UZWuJdzCpvt+F BjfQk15EJoUUW16K2+mBA1cSd+HJlnkslUTsjkq0E36XKChP+Cvbu/p6DLUMM2Xl +n3iospCkkHR9QDcHzE4Rxg9A435yHqqJ/sL2MXG/CY8X4ec6U0/+UCIF9spuv8Y 7w66D05pI2u9M/081L7Br0i0Mpdf9fDblO/6GksskccaPkMQ3MRtsL+p9o6Dnbir 6Z2wH2Kw1Bf0Gfx4VcpHBikoWJ5blCc6tfvT+qXjVOZjWAL7DvReavSEmW1/fubN C3RWcjeI4QET2oKmV2NK =LWeJ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A poem of fading death, named for a king Meant to be read only once and vanish Alas, it could not remain unseen. 1:5 152:24 the product of the first two primes 14:13 7:36 12:10 7:16 24:3 271:22 10:7 13:28 12:7 86:17 93:14 the product of the first two primes 16:7 96:4 19:13 47:2 71:22 75:9 77:4 You've shared too much to this point. We want the best, not the followers. Thus, the first few there will receive the prize. Good luck. 3301 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJPB/nmAAoJEBgfAeV6NQkPEnEQAKl5qtb3ZE5vs+c08KuzAi4a tQEE71fvb65KQcX+PP5nHKGoLd0sQrZJw1c4VpMEgg9V27LSFQQ+3jSSyan7aIIg SDqhmuAcliKwf5ELvHM3TQdyNb/OnL3R6UvavhfqdQwBXCDC9F0lwrPBu52MJqkA ns93Q3zxec7kTrwKE6Gs3TDzjlu39YklwqzYcUSEusVzD07OVzhIEimsOVY+mW/C X87vgXSlkQ69uN1XAZYp2ps8zl4LxoaBl5aVtIOA+T8ap439tTBToov19nOerusB 6VHS192m5NotfQLnuVT4EITfloTWYD6X7RfqspGt1ftb1q6Ub8Wt6qCIo6eqb9xm q2uVzbRWu05b0izAXkHuqkHWV3vwuSfK7cZQryYA7pUnakhlpCHo3sjIkh1FPfDc xRjWfnou7TevkmDqkfSxwHwP5IKo3r5KB87c7i0/tOPuQTqWRwCwcWOWMNOS7ivY KQkoEYNmqD2Yz3Esymjt46M3rAuazxk/gGYUmgHImgcu1zzK7Aq/IozXI7EFdNdu 3EoRJ/UL9Y0l0/PJOG5urdeeTyE0b8bwgfC2Nk/c8ebaTkFbOnzXdAvKHB03KEeU PtM6d6DngL/LnUPFhmSW7K0REMKv62h9KyP/sw5QHTNh7Pz+C63OO3BsFw+ZBdXL hGqP6XptyZBsKvz2TLoX =aXFt -----END PGP SIGNATURE-----
Which the solvers knew to be book codes along with a description of each book. They also included a warning about too much collaboration, saying that only the first few, or the active few, that make it to the end will recieve entry.
The second code was found to have led to the poem Agrippa by typing in keywords from the description. This poem, found here, spat out the following after the book code was applied:
Which most will know to be a hidden service on the Tor network. By entering this page into a tor-equipped browser, users found the following message (GPG signature removed):
Congratulations! Please create a new email address with a public, free web-based service. Once you've never used before, and enter it below. We recommend you do this while still using tor, for anonymity. We will email you a number within the next few days (in the order in which you arrived at this page). Once you've recieved it, come back to this page and append a slash and then the number you recieved to this url. (For example, if you recieved "3894894230934209", then you would go to "[http:// http://sq6wmgv2zcsrix6t.onion/3894894230934209]") 3301
The way that these pages are run is that everything publicly available will go in part 1, and everything that wasn't publically available (and therefore questionable), will go in part 2. For the 2012 puzzle, it did not initially end at the first set of puzzles. If you want to cut to the chase and get straight to the emails recieved, go to Part 2. If you want to continue with the 'second chance', keep on reading.
The Second Chance
The following happened after someone initially leaked the original email sent to them. It included instructions for obtaining another RSA key (see Part 2), and the clue 'Numbers dot TK'. Sadly, there is no good documentation on what happened next here, so presumeably the solvers visited 845145127.tk, which led to another opportunity to get an email, as some certainly did. To read more, continue to Part 2.