TL;DR: “Hey @wheatpond,” John Cantrell half-teased mere hours after the first three clues for Satoshi’s Treasure toward the coveted $1 million prize in bitcoin were released, “assuming you have say in the future of #satoshistreasure, consider not putting the encrypted html client side. I was able to dictionary attack all three of the first keys in a few minutes. Should verify solution server side!”
More Spice: Bitcoin White Paper Visualized
$1 Million Bitcoin Prize Initial Clues Cracked “In a Few Minutes”
“Today (April 16th 2019 at noon) the first major clues to discover key #1 was set to be released in a few cities,” Cantrell posted to his GitHub. “A QR code with the words ‘orbital’ were found at these locations and looked like this: (https://imgur.com/a/6rNmz7T). If you read the QR code with your phone you will be directed to this url: https://satoshistreasure.xyz/k1.”
As CoinSpice reported, Satoshi’s Treasure is offering $1 million USD worth of bitcoin to anyone who can find and assemble 400 of a 1,000 pieces from a cold storage wallet, seemingly scattered all over the world. Cantrell appears to have quite the head start.
“At this URL you are prompted to input a passphrase to decrypt the first shard,” he detailed. “An obvious first guess was to try the word ‘orbital’ from the QR code. Not surprisingly this worked!” Indeed, he was greeted with a congratulations page. And while other hunters no doubt waited for more clues, he soldiered on.
That Wouldn’t Stop Me From Digging Around
“Now, we were supposed to wait until April 17th to get clues from the other cities for keys #2 and #3 but that wouldn’t stop me from digging around with all the new information we had. All that time ‘playing’ notpron (http://notpron.org/notpron/) years ago was going to help me here,” Cantrell explained.
“The first thing I noticed was the k1 in the url and quickly checked to see if k2, k3, and k4 existed. I was excited to see that both k2 and k3 already existed but k4 (and anything higher) did not appear to exist yet.” He went on to notice similarity in setups, and listed a source code to decrypt the page when prompted. From there, it’s coder pornography, as Cantrell gives a step-by-step tutorial, including a brute force dictionary attack by googling “for a downloadable dictionary english word list and [opening] a new ruby script.”
In fairness, advisor to the Satoshi’s Treasure project, Eric Meltzer, warned CoinSpice in an interview a day before, “I would be SHOCKED if [no one cracks the clues], the internet is insanely insanely good at solving puzzles. I’m much more worried they will solve them too fast than too slowly.”
DISCLOSURE: The author holds cryptocurrency as part of his financial portfolio, including BCH.
CONTINUE THE SPICE and check out our piping hot VIDEOS. Our podcast, The CoinSpice Podcast, has amazing guests. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.