January 5th 2012
Users browsing 4chan's /x/ board were greeted with a mysterious image, unlike much else really seen on that board. It displayed the following message in simple, white-on-black font:
There is a message hidden in this image. Find it and it will lead you on the road to finding us. We look forward to meeting the few who will make it all the way through. Good Luck. 3301
There was almost nobody browsing /x/ at that time who didn't notice it. Many initially thought it was another ARG, some thought it was an NSA recruitment program, and to this day few know where the rabbit hole leads to, and those that do have disappeared from the internet and have not told anybody else any more than they fear to let on.
"There is a message hidden in this image"
Solvers were quick to try different methods to find it. The most common use was to initially open the image file into a text editing application, which allows users to read a dump of the bytes in the image. This produced the following text at the end of the file:
TIBERIVS CLAVDIVS CAESAR says "lxxt>33m2mqkyv2gsq3q=w]O2ntk"
This was quickly found to be a Caesar cipher because of the repeated characters, hence the reference, and the deciphered text was URL.
Decrypting this cipher and following the URL led to the discovery of the following image file:
This was a difficult clue to follow, but solvers soon realized that it meant that the program OutGuess had to be used (hence the words guess and out).
In its simplest form, OutGuess is a steganography program designed to hide messages within images. More on OutGuess can be found at its very own wiki page.
Opening the image in OutGuess led to the following message (concatenated to fit better formatting. The original text can be found here ):
Here is a book code. To find the book, and more information, go to http://www.reddit.com/r/a2e7j6ic78h0j/ 1:20, 2:3, 3:5, 4:20, 5:5, 6:53, 7:1, 8:8, 9:2, 10:4, 11:8, 12:4, 13:13, 14:4, 15:8, 16:4, 17:5, 18:14, 19:7, 20:31, 21:12, 22:36, 23:2, 24:3, 25:5, 26:65, 27:5, 28:1, 29:2, 30:18, 31:32, 32:10, 33:3, 34:25, 35:10, 36:7, 37:20, 38:10, 39:32, 40:4, 41:40, 42:11, 43:9, 44:13, 45:6, 46:3, 47:5, 48:43, 49:17, 50:13, 51:4, 52:2, 53:18, 54:4, 55:6, 56:4, 57:24, 58:64, 59:5, 60:37, 61:60, 62:12, 63:6, 64:8, 65:5, 66:18, 67:45, 68:10, 69:2, 70:17, 71:9, 72:20, 73:2, 74:34, 75:13, 76:21 Good luck. 3301
The subreddit in question can be found here .
The subreddit contained lots of different text posts and two images, Welcome and Problems.
Each one contained an OutGuess message. Welcome's was this:
and Problems' was this:
Both of them were signed with PGP signatures, which are basically a completely secure method of ensuring that the message has come from the confirmed sender. You can learn more about GnuPG (a free version of PGP) at it's own wiki page.
You can download Cicada's GPG key straight from the MIT Keyserver (remember to always check the signature and data against the one available from MIT).
In the header of the subreddit, here, there was the following string given:
(The number sequence that is written using mayan numbers is as follows: 10 2 14 7 19 6 18 12 7 8 17 0 19
Comparing this with the a2e7j6ic78h0j7eiejd0120 in the title, we can see that numbers below 10 in the sequence above is also found in this string, at the same positions. Also note that instead of 10 we have “a”, instead of 14 we have “e”, and so on up to “j” being 19. Since the title of the page contains 23 characters and there were only 13 mayan numbers is is quite likely that we are supposed to continue converting characters from the title to numbers.)
10, 2, 14, 7, 19, 6, 18, 12, 7, 8, 17, 0, 19, 7, 14, 18, 14, 19, 13, 0, 1, 2, 0
Later was found that key was derived from King Arthur text. Translate each digit to a letter (from alphabet starting with A = 0) and you get kcohtgsmhirathosotnabca. Each letter is first letter in lines of decrypted text.
This was the 'key' that Problems mentioned, being the code to the shift cipher to be applied to the lines of text in the subreddit. If this is confusing, it basically means that each letter in each string was meant to be shifted by the number corresponding to it's location in the text. This produced the following story (not complete).
The code in the original message, as mentioned to be a book code, was applied here. If you're not familiar with book codes, the first number is the line, and the second number is the character in that line. Applying the book code to the text with the full stops removed gave the following string of text:
Call us at us tele phone numBer two one four three nine oh nine six oh eight
This was obviously a telephone number, specifically 2143909608 (Clickable and callable on a phone). This number has since deactivated. Calling this number initially gave the following message:
Very good. You have done well. There are three prime numbers associated with the original final.jpg image. 3301 is one of them. You will have to find the other two. Multiply all three of these numbers together and add a .com to find the next step. Good luck. Goodbye.
The original image had the dimensions of 509 and 503, both of which are prime numbers. These were multiplied with 3301 to equal 845145127, which gave us http://845145127.com . Note that 845145127 is also in brackets in the GPG key's name.
A backup of the page can be found here: https://web.archive.org/web/20150624035446/http://net-netz-blog.de/845145127.htm
Going to this website led to an image of a cicada and a countdown. Using OutGuess on the image produced the following message:
And so the solvers waited. And waited. And waited. And finally, after what seemed like years, the website changed.
The Scary Bit
Reapplying OutGuess on the cicada image produced a new message, containing co-ordinates, as well as two which were written on the website itself:
52.216802, 21.018334 48.85057059876962, 2.406892329454422 48.85030144151387,2.407538741827011 47.664196, -122.313301 47.637520, -122.346277 47.622993, -122.312576 37.5196666666667, 126.995 33.966808, -117.650488 29.909098706850486 -89.99312818050384 25.684702, -80.441289 21.584069, -158.104211 - -33.90281, 151.18421 36.0665472222222, -94.1726416666667 37.577070, 126.813122
These returned locations across the globe, meaning that unless you had access to all these locations, you'd be forced to collaborate with other users, like the main IRC channel on n0v4. At each of these locations, brave solvers found a sheet of paper stuck to a telegraph pole, with a QR code and an image of a cicada.
It took a while for this to sink in with the community, that this wasn't just a talented neckbeard in a basement, that this was actually a global organisation of some very very talented people.
Upon scanning these QR codes 2 different messages were revealed. These are:
Which the solvers knew to be book codes along with a description of each book. They also included a warning about too much collaboration, saying that only the first few, or the active few, that make it to the end will recieve entry.
The second code was found to have led to the poem Agrippa by typing in keywords from the description. This poem, found here, spat out the following after the book code was applied:
Which most will know to be a hidden service on the Tor network. By entering this page into a tor-equipped browser, users found the following message (GPG signature removed):
Congratulations! Please create a new email address with a public, free web-based service. Once you've never used before, and enter it below. We recommend you do this while still using tor, for anonymity. We will email you a number within the next few days (in the order in which you arrived at this page). Once you've recieved it, come back to this page and append a slash and then the number you recieved to this url. (For example, if you recieved "3894894230934209", then you would go to "[http:// http://sq6wmgv2zcsrix6t.onion/3894894230934209]") 3301
EDIT June 2017
"In twenty-nine volumes, knowledge was once contained" book was found. Encyclopaedia Britannica, 11th Edition, Volume 6, Slice 3 "Chitral" to "Cincinnati"
Mabinogion code paused at line 69 out of a total of 75. 6 from the beginning is Volume 6 - "cicada" is my first name. The rows have to be shifted down "1" row for some reason or you have to index first line with 0.
1:29 e 6:46 q 6 6 2:37 e 14:41 m 17:3 g 27:40 v 2 2 2:33 e 1:1 H 7:45 s 17:29 r 21:31 i 12:17 x 6 6 22:42 t 15:18 . 24:33 o 27:46 n 12:29 i 25:66 o 7:47 n
The way that these pages are run is that everything publicly available will go in part 1, and everything that wasn't publically available (and therefore questionable), will go in part 2. For the 2012 puzzle, it did not initially end at the first set of puzzles. If you want to cut to the chase and get straight to the emails recieved, go to Part 2. If you want to continue with the 'second chance', keep on reading.
The Second Chance
The following happened after someone initially leaked the original email sent to them. It included instructions for obtaining another RSA key (see Part 2), and the clue 'Numbers dot TK'. Sadly, there is no good documentation on what happened next here, so presumeably the solvers visited 845145127.tk, which led to another opportunity to get an email, as some certainly did. To read more, continue to Part 2.
Here are two other links that explain these steps of the puzzle in different ways that you may find helpful: