From n0v4 Wiki
Jump to: navigation, search

This page contains information on the Cicada 3301 mystery, and provides a chronological guide to the clues.


The Original Message

On the 5th January 2012, an image was posted on 4chan's /b/ board with the message

 Hello. We are looking for highly 
 intelligent individuals. To find them we have devised
 a test.
 There is a message hidden in this image. 
 Find it and it will lead you on the road to
 finding us. We look forward to meeting the
 few who will make it all the way through.
 Good Luck.

The Duck Decoy, The Caesar and OutGuess

When the image is opened in wordpad, the final line of text reads

TIBERIVS CLAVDIVS CAESAR says "lxxt>33m2mqkyv2gsq3q=w]O2ntk"

Using a Caesar cypher, the text lxxt>33m2mqkyv2gsq3q=w]O2ntk is revealed to be a link to a second image. This appears at first to be a dead end. However the text contains the words "out" and "guess". The image can be decoded using the steganography software OutGuess. When decoded the image contains a message.

The message contains a Book Code and a link to a subreddit.

The Subreddit, King Arthur and the Holy Grail

The Subreddit contains strings of text and also two images; "Welcome" and "Problems".

Problems is a a sterogram of a chalice made from images of King Arthur. Welcome and Problems each contain an OutGuess message; Welcome, Problems.

The subreddit image header and the title of the page are different representations of the same sequence of numbers:

10, 2, 14, 7, 19, 6, 18, 12, 7, 8, 17, 0, 19, 7, 14, 18, 14, 19, 13, 0, 1, 2, 0

This code is a key by which the text posted on the subreddit can be decoded to reveal another a story about king Arthur. This is the "book" the book code is used with.

When the the book code is used, a phone number is revealed; (214) 390-9608.

The Phone Number, The Message and The Primes

When (214) 390-9608 is called a recording plays which says:

 Very good.  You have done well.  There are three prime numbers associated with the original final.jpg image.  3301 is one of them. 
 You will have to find the other two.  Multiply all three of these numbers together and add a .com to find the next step.  Good 
 luck.  Goodbye.

The phone number has since been deactivated. The original image was 509x503 pixels, 509 and 503 are the other two primes. The product of 509, 503 and 3301 is 845145127.

The Website, The Cicada and The Countdown

At the website there was on image of a cicada and a countdown. The image of the cidada contain an OutGuess message.

You have done well to come this far.

Patience is a virtue.

Check back at 17:00 on Monday, 9 January 2012 UTC.

At the designated time, the site changed to reveal a string of numbers.

The Coordinates, The Symbol and The QR Codes

These numbers refer to coordinates all around the world. At these locations the picture of the cicada and a QR code can be found.

Locations marked "FOUND" have had the clues recovered

If you live next to one of the location marked with an asterisk and wish to help by providing pictures and QR codes from there, feel free to join the IRC channel (http://n0v4.com/irc.web.php?client=qweb&channel=cicada3310)

The Locations, The Links and The Poems

People checked out some of those locations and found notes attached to a lightpole with the cicada image and a QR-Code, which look like this. For some locations, no image is currently available.

The QR codes all link to unique URLs which all contain the same image of a circada, and the text "3301". When decoded using OutGuess these images contain messages. Some images contain duplicate messages. Two messages have been found so far, 1 and 2.

The TOR Website

The poem in this pastebin was found to be "Agrippa" by William Gibson. A TOR address with the indications: http://sq6wmgv2zcsrix6t.onion/cgi-bin/get_email was extracted which led us to:

The site contains instructions to enter an email address. Several days passed with no word, until people started reporting email arriving. All reported it only once, before dropping out of the collective solving all together.

The Mail

The mail contained a number.This number, added to the Tor URL, redirected to another page telling you the following message:


Hash: SHA1

This message will only be displayed once.

Here is a message that has been encrypted with RSA (the Crypt::RSA Perl module available in CPAN) :

- -----BEGIN COMPRESSED RSA ENCRYPTED MESSAGE----- Version: 1.99 Scheme: Crypt::RSA::ES::OAEP

[Crypted message in here]


Here is the public key used to encrypt it. Note that it has a low bit modulus and is therefore breakable:

$VAR1 = bless( {

                'e' => 65537,
                'n' => '[The key]',
                'Version' => '1.99',
                'Identity' => 
              }, 'Crypt::RSA::Key::Public' );

The encrypted message is a number. Break the decryption key, then come back to this same URL and enter the decrypted message to continue. Each person who has come this far has received a unique message encrypted with a unique key. You are not to collaborate. Sharing your message or key will result in not receiving the next step.

There is a second chance to get your own RSA message and key. Follow the "Numbers dot TK" hint to find it.

There are many fake messages out there. Only messages signed with public key ID 7A35090F are valid.

Good luck.



Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJPEi5gAAoJEBgfAeV6NQkPMrQP/3LMYv8rg44LBR/ept5G4obG Y05S/b+tYxNXgII2NjrDJOJdT8A56369ffiIFV/Auq41Y2oWVjJnCT7f3VFC9T8L jYXijNoLo/1CT/slhXHZHBo2vgPoN+ucYeY3V67mtluTwy2cCImzOGNG5D5Q2IJG eQfvWVYHvxK0o6eMdgtZ83dwMlUWOyHOAxTFM7kR2WCccWBF+o+ErrD/eeDJJXuN ryh11bpodnzLzj/rWgnujMUpVRG+MsqPPqo3/SL9cBe54KSrGkL+wD7GjDpu1YK3 VSLsX6pQ0UW3CJgwO3PfrxB48U/JfRaSN4bJNCh8Kg65cd6fQ2fN14KIyXRrJXU1 j9CylKcBj/DYwBpv/J/j3KgcWRYQftZ7L42FY6+I34EgorFiRGx8hoZf1AoLb4Y3 boUZITIaGytm7iNpnSA0fBnCybxblOiKaPs193mdW+B5IlbvqBg0JUi61Dpa4J3G 8b5fAXMiw1fCJHixgBd/v7eZSjnDYGrFQTP857hdU8koHtJRWCskhreDBGHwZgy+ Whj8CnNfss8hxTlOxm8EGD2InhVVct9KW/mMFEP9KB/RnBugqL+E5JOhkhNvS4mk yNKZLBhwLInr/91AZKSd9D1NcvbC+aCDNXp68+tG2d/+lMD2dghtv8zJpi0QFw6Z RLFBgCDpdk08LuEPLzhB =eQt+



Cicada 3301 has been dark for weeks, with no new information for those who did not receive emails. Everyone else is left wondering what the email contained and what came of the "lucky" few to receive them?

herpderp signing off