After reading about Coin Artist’s epic Dark Wallet puzzle I decided to try my hand at crafting a (slightly less difficult) steganographic bitcoin treasure hunt. The idea was that the first person who got to the final clue and solved it would be able to collect a reward of bitcoins be revealing the private key to an address that I created and funded. I spent several weeks crafting the hunt; it took a little over a day before someone navigated their way to the end of the hunt. Here are the steps to the solution:
The hunt began with this tweet:
The QR code in this image resolves to a URL: http://lopp.net/puzzled/puzzled.png
This is the obvious clue in step 2 that both allows the user to determine whether or not the treasure has been claimed and lets them see the amount of the reward for solving the puzzle.
The hidden message at this step is in the image’s EXIF meta data. You can use either an online tool such as http://www.extractmetadata.com/ or a Linux command line tool such as “exiv2" to read the meta data. If you do so, you’ll see:
Comment: Continue to https://i.imgur.com/B8CHauj.png
This step involves a Sudoku puzzle:
The solution to the puzzle is:
The image in this step links to an encrypted zip file at http://lopp.net/puzzled/treasure.zip and the decryption password is a combination of the Sudoku answer and a riddle:
“Sudoku’s hefty answer shan’t reveal the prize just yet…”
The key to this riddle is Sudoku’s hefty answer shan’t.
That is: SHA SHA
That is: SHA-2
The last half of the riddle narrows the set of SHA-2 hash functions to a single one “… the key to the next lock is 17 characters shorter.”
The member of the SHA-2 family that creates a (81–17 =) 64 character hash is SHA-256, which is used by the Bitcoin protocol.
So we take the 81 characters read left-to-right and top-to-bottom of the Sudoku answer:
And find the SHA-256 hash; there are various online and command line tools for doing so, such as http://www.xorbin.com/tools/sha256-hash-calculator
We find that the hash is:
Use the hash to decrypt the zip file. Inside the zip is a README file that holds the clue: “Sometimes the world’s greatest treasures are hidden in plain view.”
The zip also contains an image with a hidden private key that I added as a 99% transparent layer. The private key can be exposed by jacking up the brightness and contrast, or by overlapping the image upon itself as layers and performing layer manipulation functions such as Gimp’s “layer divide.”
The QR will be exposed in the lower left corner of the image, which translates to the private key:
Load the private key into your Bitcoin client of choice and transfer the funds to a new safe address that is only under your control!
Crafting this treasure hunt was a fun learning experience for me, but it was also a ton of work. I found the biggest challenge to be the creation of clues that were sufficiently difficult while not being impossible. I look forward to creating more treasure hunts in the future!