Uncovering Cicada Wiki

Introduction

In 2012 this article popped up: http://www.losandesonline.cl/noticias/17643/11042012-pdi-advierte-sobre-nueva-modalidad-de-estafa-por-internet-a-traves-de-google.html

It accused a cybercriminal named "Necrome" to be a 3301's member. A translated version follows:

Title: PID warns about a new type of Internet scam operated through Google
Hackers advertised a fake page of bank on the search engine to get clients password data.

LOS ANDES. The Los Andes PID Brigade against Economic Crime warned the public, in particular users of Internet banking, on a new form of fraud operated using the well-known search engine google.

The head of that unit, Commissioner Marcelo Martínez (see enlarged photo) said a few weeks ago that the Metropolitan Bridec managed to establish the modus operandi of this hacker group named Cicada 3301.

The officer explained that to carry out these scams, hackers created fake bank websites which were advertised on Google. When a customers of such banking service wanted to access it, the fake virus-generated page would appear and the person would naively give out their access codes.

After obtaining the data, the cybercriminals accessed the users' real accounts and made money transfers.

Deputy Commissioner Martinez stated that as the result of this investigation, Enzo Alexander F.C., alias "Necrome", was arrested in Santiago. He was one of the members of this group, who also has a criminal record for two crimes of swindling.

He specified that the nationwide connections of this group are being investigated by the Cybercrime Brigade, "but the concreteness of this group operations should prompt local internet users to be careful when entering the pages of their banks through the Google search engine".

The officer said that victims of this type of scam should send a formal complaint to their bank to see whether the money can be returned "but if they were damaged, they should approach the nearest PDI unit to file a complaint".

3301's Response

3301 responded with the following PGP-signed statement:

PGP-Signed Message
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Some news organisations have recently claimed that "Cicada 3301" is
tied to the illegal activities of an individual going by "Necrome".

This is not true.

We do not engage in illegal activities.  We are not associated
with this individual.

Anyone involved in illegal activities would be cut off from our
fellowship immediately.

3301


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJPjvzWAAoJEBgfAeV6NQkPaZ0P/RPWXo1M78ctx4Kz/Y0TQhUL
aEf7XA9OhxWhx6av9wrDbJ0l6leWvqcH8ONRvrBaJ8FGbWlp23q1uqsQWcuXOMhg
+Kg2eHp2Wc8yoRid0XOuYZ7xZLMQ19XBLPgwtCyrrEVBlIq3Rk8xMMoEd0sqo7UO
c3URRoGMUZrDyrprjvmPtyFDyOG8WUhKHUiyP9tnOYZW54hdWk67ZYD6E1D1YeGZ
z66cI7NJ/uO+UoJFHEny/RBwz9V8YfAP/+9yohOSh7fxAc+D0L0nN389BrM10NrC
WV70B0Das2b4hlzcfxpe5Mv1b+QuvYiIY3gS6TFztRiEK1xOzxefFJT3hGb6mIAO
cMxlWA/6UzphCg/WyGGwwFJRPwpe7aRsiXIgVFevvtS34pvmyHuttNqtnIqzhD1+
W6U67lhQHjbLzcvRWuqWteMusNj4h74Gn1W7MTNQ6NAWtsYVTXJjTLkPR780eLHj
VKiI/9Fkq65YEtlMZy1Y3hblJ26dBZ+l6a9cUsZy6qLEXXiaRJBR+lX/eJDvf2Wg
cxrJiKn7f6Fe6IuNPoasfg5e48YDGKA3rOKMjAVxJ0kM5qqN7aiKHXIr0fz8bciy
gnD83UgOU9TVvzjuFh+475OprY6FQzA+f5xaBjaQkAEWHVvSmw9VzzAxaLtUmM8X
oaIEuW146ywQwZ1JLjJ4
=TNf9
-----END PGP SIGNATURE-----

The message was signed on the 18th April 2012 and posted on the same day on Pastebin: http://pastebin.com/iJCnw8EW

This is also the first time that 3301 referred to the group in any sense. This one was 'fellowship'.

The British writing of "organisation" is often brought up. Furthermore, in the Gematria Primus a single rune encodes both S and Z.

Further information

The "Los Andes Online" article was sourced or referenced nowhere else, and also never mentioned by any backed-up English source nor official police source.

In a hackforums thread [1] a user claiming to be "Necrome" confirms he was wrongfully associated as a 3301 member by a news media. He was sentenced to a second prison term for similar phishing scams in 2014. Necrome gives more information regarding these imprisonments on another thread [2]. From this perspective, his posting history makes sense. Furthermore his account was created in 2010 and he was last seen in 2021, making his story credible.

His second scam is documented by some news sources [3], saying it's his second sentence, the first one being for similar offences. Moreover the hacker's story told by news articles checks out with his sayings (prior to the articles).

  1. A screenshot of the thread can be read without the need to have an account there
  2. Screenshot
  3. https://www.emol.com/noticias/nacional/2014/02/07/643668/hacker.html