Wikia

Uncovering Cicada Wiki

What Happened Part 1 (2012)

Comments11
148pages on
this wiki

The InvitationEdit

It all began on January 4 2012

Users browsing 4chan's /x/ board were greeted with a mysterious image, unlike much else really seen on that board. It displayed the following message in simple, white-on-black font:

There is a message hidden in this image.

Find it and it will lead you on the road to finding us. We look forward to meeting the few who will make it all the way through.

Good Luck.

3301

There was almost nobody browsing /x/ at that time who did not notice it. Many initially thought it was another ARG, some thought it was an NSA recruitment program, and to this day few know where the rabbit hole leads to, and those that do have disappeared from the internet and have not told anybody else any more than they fear to let on.

If it sounds like a scary story, that's because it is.

Welcome to the world of Cicada.
6642402029 62545f1035 z

The DecoyEdit

As the message mentioned that it had a message inside it, the solvers were quick to try out different methods to find it. The most common one used initially was opening the image file itself in a text editing application, which allows users to read a dump of the bytes in the image. This produced the following text at the end of the image file:

TIBERIVS CLAVDIVS CAESAR says "lxxt>33m2mqkyv2gsq3q=w]O2ntk"

This was quickly found to be a Caesar Cipher, hence the reference, and the decrypted text was obviously a URL, judging by the first 5 symbols evidently being a single letter, then double letter, another single letter and a piece of punctuation.

Decrypting this cipher led to the discovery of the following image file:

Decoy
This image file was a difficult clue to follow, but solvers soon realised that it meant that the program OutGuess had to be used (hence the words guess and out).

In its simplest form, OutGuess is a steganography program designed to hide messages within images. More on OutGuess can be found at its very own wiki page.

The messageEdit

Opening the image in OutGuess led to the following message (concatenated to fit better formatting. The original text can be found here ):

Here is a book code.  To find the book, and more information, go to http://www.reddit.com/r/a2e7j6ic78h0j/

1:20, 2:3, 3:5, 4:20, 5:5, 6:53, 7:1, 8:8, 9:2, 10:4, 11:8, 12:4, 13:13, 14:4, 15:8, 16:4, 17:5, 18:14, 19:7, 20:31, 21:12, 22:36, 23:2, 24:3, 25:5, 26:65, 27:5, 28:1, 29:2, 30:18, 31:32, 32:10, 33:3, 34:25, 35:10, 36:7, 37:20, 38:10, 39:32, 40:4, 41:40, 42:11, 43:9, 44:13, 45:6, 46:3, 47:5, 48:43, 49:17, 50:13, 51:4, 52:2, 53:18, 54:4, 55:6, 56:4, 57:24, 58:64, 59:5, 60:37, 61:60, 62:12, 63:6, 64:8, 65:5, 66:18, 67:45, 68:10, 69:2, 70:17, 71:9, 72:20, 73:2, 74:34, 75:13, 76:21

Good luck.

3301

The subreddit in question can be found here .

The CodeEdit

The subreddit contained lots of different text posts and two images, Welcome and Problems.

Each one contained an OutGuess message. Welcome's was this:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- From here on out, we will cryptographically sign all messages with this key.

It is available on the mit keyservers.  Key ID 7A35090F, as posted in a2e7j6ic78h0j.

Patience is a virtue.

Good luck.

3301
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJPBRz7AAoJEBgfAeV6NQkP1UIQALFcO8DyZkecTK5pAIcGez7k
ewjGBoCfjfO2NlRROuQm5CteXiH3Te5G+5ebsdRmGWVcah8QzN4UjxpKcTQRPB9e
/ehVI5BiBJq8GlOnaSRZpzsYobwKH6Jy6haAr3kPFK1lOXXyHSiNnQbydGw9BFRI
fSr//DY86BUILE8sGJR6FA8Vzjiifcv6mmXkk3ICrT8z0qY7m/wFOYjgiSohvYpg
x5biG6TBwxfmXQOaITdO5rO8+4mtLnP//qN7E9zjTYj4Z4gBhdf6hPSuOqjh1s+6
/C6IehRChpx8gwpdhIlNf1coz/ZiggPiqdj75Tyqg88lEr66fVVB2d7PGObSyYSp
HJl8llrt8Gnk1UaZUS6/eCjnBniV/BLfZPVD2VFKH2Vvvty8sL+S8hCxsuLCjydh
skpshcjMVV9xPIEYzwSEaqBq0ZMdNFEPxJzC0XISlWSfxROm85r3NYvbrx9lwVbP
mUpLKFn8ZcMbf7UX18frgOtujmqqUvDQ2dQhmCUywPdtsKHFLc1xIqdrnRWUS3CD
eejUzGYDB5lSflujTjLPgGvtlCBW5ap00cfIHUZPOzmJWoEzgFgdNc9iIkcUUlke
e2WbYwCCuwSlLsdQRMA//PJN+a1h2ZMSzzMbZsr/YXQDUWvEaYI8MckmXEkZmDoA
RL0xkbHEFVGBmoMPVzeC
=fRcg
-----END PGP SIGNATURE-----

and Problems' was this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The key has always been right in front of your eyes.

This isn't the quest for the Holy Grail.  Stop making 
it more difficult than it is. 

Good luck.

3301
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJPCBl3AAoJEBgfAeV6NQkPo6EQAKghp7ZKYxmsYM96iNQu5GZV
fbjUHsEL164ZLctGkgZx2H1HyYFEc6FGvcfzqs43vV/IzN4mK0SMy2qFPfjuG2JJ
tv3x2QfHMM3M2+dwX30bUD12UorMZNrLo8HjTpanYD9hL8WglbSIBJhnLE5CPlUS
BZRSx0yh1U+wbnlTQBxQI0xLkPIz+xCMBwSKl5BaCb006z43/HJt7NwynqWXJmVV
KScmkpFC3ISEBcYKhHHWv1IPQnFqMdW4dExXdRqWuwCshXpGXwDoOXfKVp5NW7Ix
9kCyfC7XC4iWXymGgd+/h4ccFFVm+WWOczOq/zeME+0vJhJqvj+fN2MZtvckpZbc
CMfLjn1z4w4d7mkbEpVjgVIU8/+KClNFPSf4asqjBKdrcCEMAl80vZorElG6OVIH
aLV4XwqiSu0LEF1ESCqbxkEmqp7U7CHl2VW6qv0h0Gxy+/UT0W1NoLJTzLBFiOzy
QIqqpgVg0dAFs74SlIf3oUTxt6IUpQX5+uo8kszMHTJQRP7K22/A3cc/VS/2Ydg4
o6OfN54Wcq+8IMZxEx+vxtmRJCUROVpHTTQ5unmyG9zQATxn8byD9Us070FAg6/v
jGjo1VVUxn6HX9HKxdx4wYGMP5grmD8k4jQdF1Z7GtbcqzDsxP65XCaOYmray1Jy
FG5OlgFyOflmjBXHsNad
=SqLP
-----END PGP SIGNATURE-----

Both of them were signed with PGP signatures, which are basically a completely secure method of ensuring that the message has come from the confirmed sender. You can learn more about GnuPG (a free version of PGP) at it's own wiki page.

You can download Cicada's GPG key straight from the MIT Keyserver (recommended for advanced or cautious users), or download the .asc from Mega (remember to always check the signature and data against the one available from MIT).

In the header of the subreddit, there was the following string given:

10, 2, 14, 7, 19, 6, 18, 12, 7, 8, 17, 0, 19, 7, 14, 18, 14, 19, 13, 0, 1, 2, 0

This was the 'key' that Problems mentioned, being the code to the shift cipher to be applied to the lines of text in the subreddit. If this is confusing, it basically means that each letter in each string was meant to be shifted by the number corresponding to it's location in the text. This produced the following story (not complete).

The NumbersEdit

The code in the original message, as mentioned to be a book code, was applied here. If you're not familiar with book codes, the first number is the line, and the second number is the character in that line. Applying the book code to the text with the full stops removed gave the following string of text:

Call us at us tele phone numBer two one four three nine oh nine six oh eight

This was obviously a telephone number, specifically 2143909608 (Clickable and callable on a phone). This number has since deactivated. Calling this number initially gave the following message:

Very good. You have done well. There are three prime numbers associated with the original final.jpg image. 3301 is one of them. You will have to find the other two. Multiply all three of these numbers together and add a .com to find the next step. Good luck. Goodbye.

Voice On Phone (2012)00:37

Voice On Phone (2012)



The original image had the dimensions of 509 and 503, both of which are prime numbers. These were multiplied with 3301 to equal 845145127, which gave us http://845145127.com . Note that 845145127 is also in brackets in the GPG key's name.

Bckup of  page: http://net-netz-blog.de/845145127.htm

The WebsiteEdit

Going to this website led to an image of a cicada and a countdown. Using OutGuess on the image produced the following message:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
You have done well to come this far.
 
Patience is a virtue.
 
Check back at 17:00 on Monday, 9 January 2012 UTC.
 
3301
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
 
iQIcBAEBAgAGBQJPCKDUAAoJEBgfAeV6NQkPf9kP/19tbTFEy+ol/vaSJ97A549+
E713DyFAuxJMh2AY2y5ksiqDRJdACBdvVNJqlaKHKTfihiYW75VHb+RuAbMhM2nN
C78eh+xd6c4UCwpQ9vSU4i1Jzn6+T74pMKkhyssaHhQWfPs8K7eKQxOJzSjpDFCS
FG7oHx6doPEk/xgLaJRCt/IJjNCZ9l2kYinmOm7c0QdRqJ+VbV7Px41tP1dITQIH
/+JnETExUzWbE9fMf/eJl/zACF+gYii7d9ZdU8RHGi14jA2pRjc7SQArwqJOIyKQ
IFrW7zuicCYYT/GDmVSyILM03VXkNyAMBhG90edm17sxliyS0pA06MeOCjhDGUIw
QzBwsSZQJUsMJcXEUOpHPWrduP/zN5qHp/uUNNGj3vxLrnB+wcjhF8ZOiDF6zk7+
ZVkdjk8dAYQr62EsEpfxMT2dv5bJ0YBaQGZHyjTEYnkiukZiDfExQZM2/uqhYOj3
yK0J+kJNt7QvZQM2enMV7jbaLTfU3VZGqJ6TSPqsfeiuGyxtlGLgJvd6kmiZkBB8
Jj0Rgx/h9Tc4m9xnVQanaPqbGQN4vZF3kOp/jAN5YjsRfCDb7iGvuEcFh4oRgpaB
3D2/+Qo9i3+CdAq1LMeM4WgCcYj2K5mtL0QhpNoeJ/s0KzwnXA+mxBKoZ0S8dUX/
ZXCkbOLoMWCUfqBn8QkQ
=zn1y
-----END PGP SIGNATURE-----

And so the solvers waited. And waited. And waited. And finally, after what seemed like years, the website changed.

The Scary BitEdit

Reapplying OutGuess on the cicada image produced a new message, containing co-ordinates, as well as two which were written on the website itself:

52.216802, 21.018334
48.85057059876962, 2.406892329454422
48.85030144151387,2.407538741827011
47.664196,  -122.313301
47.637520, -122.346277
47.622993, -122.312576
37.5196666666667, 126.995
33.966808, -117.650488
29.909098706850486 -89.99312818050384
25.684702, -80.441289
21.584069, -158.104211
- -33.90281, 151.18421
36.0665472222222, -94.1726416666667
37.577070, 126.813122
These returned locations across the globe, meaning that unless you had access to all these locations, you'd be forced to collaborate with other users, like the main IRC channel on n0v4. At each of these locations, brave solvers found a sheet of paper stuck to a telegraph pole, with a QR code and an image of a cicada. 
Telegraphpole

It took a while for this to sink in with the community, that this wasn't just a talented neckbeard in a basement, that this was actually a global organisation of some very very talented people.

Upon scanning these QR codes 2 different messages were revealed. These are:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
In twenty-nine volumes, knowledge was once contained.
How many lines of the code remained when the Mabinogion paused?
Go that far in from the beginning and find my first name.
 
1:29
6:46
the product of the first two primes
2:37
14:41
17:3
27:40
the first prime
2:33
1:1
7:45
17:29
21:31
12:17
the product of the first two primes
22:42
15:18
24:33
27:46
12:29
25:66
7:47
 
You've shared too much to this point.  We want the best,  
not the followers.  Thus, the first few there will receive
the prize.
 
Good luck.
 
3301
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
 
iQIcBAEBAgAGBQJPB1luAAoJEBgfAeV6NQkP9oAP+gLu+FsRDf3aRcJtBkCOU2MX
r/dagOTvCKWtuV+fedy0enWUZ+CbUjXOr98m9eq2z4iEGqKd3/MBXa+DM9f6YGUE
jPum4wHtQDSJlZMazuYqJOVZGw5XmF25+9mRM6fe3H9RCiNDZpuXl3MzwdivYhcG
B5hW14PcdHHteQf3eAUz+p+s06RDs+q1sNGa/rMQIx9QRe71EJwLMMkMfs81kfJC
tCt21+8ud0Xup4tjUBwul7QCcH9bqKG7cnR1XWsDgdFP6a4x9Jl2/IUvp1cfeT7B
YLS9W3lCM8thMemJr+ztQPZrpDlaLIitAT2L0B3f/k4co89v5X2I/toY8Z3Cdvoi
hk0AdWzMy/XLDgkPnpEef/aFmnls53mqqe9xKAUQPMrI73hiJ+5UZWuJdzCpvt+F
BjfQk15EJoUUW16K2+mBA1cSd+HJlnkslUTsjkq0E36XKChP+Cvbu/p6DLUMM2Xl
+n3iospCkkHR9QDcHzE4Rxg9A435yHqqJ/sL2MXG/CY8X4ec6U0/+UCIF9spuv8Y
7w66D05pI2u9M/081L7Br0i0Mpdf9fDblO/6GksskccaPkMQ3MRtsL+p9o6Dnbir
6Z2wH2Kw1Bf0Gfx4VcpHBikoWJ5blCc6tfvT+qXjVOZjWAL7DvReavSEmW1/fubN
C3RWcjeI4QET2oKmV2NK
=LWeJ
-----END PGP SIGNATURE-----

and

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
A poem of fading death, named for a king
Meant to be read only once and vanish
Alas, it could not remain unseen.
 
1:5
152:24
the product of the first two primes
14:13
7:36
12:10
7:16
24:3
271:22
10:7
13:28
12:7
86:17
93:14
the product of the first two primes
16:7
96:4
19:13
47:2
71:22
75:9
77:4
 
You've shared too much to this point.  We want the best,  
not the followers.  Thus, the first few there will receive
the prize.
 
Good luck.
 
3301
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
 
iQIcBAEBAgAGBQJPB/nmAAoJEBgfAeV6NQkPEnEQAKl5qtb3ZE5vs+c08KuzAi4a
tQEE71fvb65KQcX+PP5nHKGoLd0sQrZJw1c4VpMEgg9V27LSFQQ+3jSSyan7aIIg
SDqhmuAcliKwf5ELvHM3TQdyNb/OnL3R6UvavhfqdQwBXCDC9F0lwrPBu52MJqkA
ns93Q3zxec7kTrwKE6Gs3TDzjlu39YklwqzYcUSEusVzD07OVzhIEimsOVY+mW/C
X87vgXSlkQ69uN1XAZYp2ps8zl4LxoaBl5aVtIOA+T8ap439tTBToov19nOerusB
6VHS192m5NotfQLnuVT4EITfloTWYD6X7RfqspGt1ftb1q6Ub8Wt6qCIo6eqb9xm
q2uVzbRWu05b0izAXkHuqkHWV3vwuSfK7cZQryYA7pUnakhlpCHo3sjIkh1FPfDc
xRjWfnou7TevkmDqkfSxwHwP5IKo3r5KB87c7i0/tOPuQTqWRwCwcWOWMNOS7ivY
KQkoEYNmqD2Yz3Esymjt46M3rAuazxk/gGYUmgHImgcu1zzK7Aq/IozXI7EFdNdu
3EoRJ/UL9Y0l0/PJOG5urdeeTyE0b8bwgfC2Nk/c8ebaTkFbOnzXdAvKHB03KEeU
PtM6d6DngL/LnUPFhmSW7K0REMKv62h9KyP/sw5QHTNh7Pz+C63OO3BsFw+ZBdXL
hGqP6XptyZBsKvz2TLoX
=aXFt
-----END PGP SIGNATURE-----

Which the solvers knew to be book codes along with a description of each book. They also included a warning about too much collaboration, saying that only the first few, or the active few, that make it to the end will recieve entry.

The second code was found to have led to the poem Agrippa by typing in keywords from the description. This poem, found here, spat out the following after the book code was applied:

sq6wmgv2zcsrix6t.onion

Which most will know to be a hidden service on the Tor network. By entering this page into a tor-equipped browser, users found the following message (GPG signature removed):

Congratulations!

Please create a new email address with a public, free web-based service. Once you've never used before, and enter it below. We recommend you do this while still using tor, for anonymity.

We will email you a number within the next few days (in the order in which you arrived at this page). Once you've recieved it, come back to this page and append a slash and then the number you recieved to this url. (For example, if you recieved "3894894230934209", then you would go to "[http:// http://sq6wmgv2zcsrix6t.onion/3894894230934209]")

3301

The SplitEdit

The way that these pages are run is that everything publicly available will go in part 1, and everything that wasn't publically available (and therefore questionable), will go in part 2. For the 2012 puzzle, it did not initially end at the first set of puzzles. If you want to cut to the chase and get straight to the emails recieved, go to Part 2. If you want to continue with the 'second chance', keep on reading.

The Second ChanceEdit

The following happened after someone initially leaked the original email sent to them. It included instructions for obtaining another RSA key (see Part 2), and the clue 'Numbers dot TK'. Sadly, there is no good documentation on what happened next here, so presumeably the solvers visited 845145127.tk, which led to another opportunity to get an email, as some certainly did. To read more, continue to Part 2.



OTHER LINKSEdit

Two links with puzzle explain in different way if you don't understand certain step:
Chart

Diagram of 2012 puzzle

http://www.clevcode.org/cicada-3301/

http://bernsteinbear.com/blog/cicada/

Around Wikia's network

Random Wiki