Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
How I Obtained Satoshi's Treasure Keys 1, 2, and 3 in Minutes

Today (April 16th 2019 at noon) the first major clues to discover key #1 was set to be released in a few cities. A QR code with the words 'orbital' were found at these locations and looked like this: (https://imgur.com/a/6rNmz7T). If you read the QR code with your phone you will be directed to this url: https://satoshistreasure.xyz/k1

At this URL you are prompted to input a passphrase to decrypt the first shard. An obvious first guess was to try the word 'orbital' from the QR code. Not suprisingly this worked! This reveals a congratulations page and presents the first key shard:

ST-0001-a36e904f9431ff6b18079881a20af2b3403b86b4a6bace5f3a6a47e945b95cce937c415bedaad6c86bb86b59f0b1d137442537a8.

Now, we were supposed to wait until April 17th to get clues from the other cities for keys #2 and #3 but that wouldn't stop me from digging around with all the new information we had. All that time "playing" notpron (http://notpron.org/notpron/) years ago was going to help me here.

The first thing I noticed was the k1 in the url and quickly checked to see if k2, k3, and k4 existed. I was excited to see that both k2 and k3 already existed but k4 (and anything higher) did not appear to exist yet.

The next thing I noticed was that k2 and k3 were both exactly the same setup as k1 where it wanted me to input a passphrase to "decrypt the page". I thought this was strange wording as I expected the verification to happen server side. I checked the page source to find that the actual congrats page that reveals the shard was included in the source code (albeit encrypted by the passphrase).

The source code that runs when you submit a passphrase looks like this:

document.getElementById('staticrypt-form').addEventListener('submit', function(e) {
    e.preventDefault();

    var passphrase = document.getElementById('staticrypt-password').value,
        encryptedMsg = '13ea059e2490f645da28f5f1529ca8095b1832ba95a0f3256b302ae58dca59afU2FsdGVkX1+o0KwER4WtPa8Jng8kW3vx8CpqeQkpOGSQEeNBJY0//LbZuKJXIn4ZXv7na+XWneDBFsVl/lfyd7DXAzEv+ZCWhspgBKOkVUdZcqZqBXViGkO+6UjA6Mj0ZngwfxwdsnWLLAUwTXmU40ttWzEjVzEE5nc41P1WsnYIhtXy+wNsCuHxZWHfy8l2Ga01pBBt04ZzEWffg0Z1nS6COJiflkc43pbNS3oQoW/Av3Fokhbiz+0/BV5H+s4shcqN1TYs/4mg4LvFVWb1CbpSdDncrj0YnGM03Du5IjEelFJqT36lUlLePhcdOyr5+nacK3yRSQLM1MmbIudzwktmwiXDSbQAEU71GYMdGlmfi7hnLnp/G6HyuazrmMi7DQkCe73CVa3ZqZFs6skpU7wkhsQw7WB8B1tQ3IxRfGwe30BGLGbhD7p9vzxacG3+U1foDpkXaE9hzxHhmvO6sBZHthISKcEetBuNwps1S/1iorAu9d3jc7o3O7kZ0GsJ70AdKOfaDomGqYrLoELBbhq+9ZL8kQMPYKNkOn5NHl97ZzoAHyNkecg2Pt0l3Ivzv+akPgq56NfxYU1MgDxozaWJeeqygJYUGAAFkuJdkqvGuhtMF2l9OXwWSNIlxXSaa5gHe0l9LngTDKF9xOIYjZKMn+XAmUGF5zVWuxlxotGLnt5+li3R74lT6HPOc4o+4K8cNOTXkparlKLtRwX0h9u2G5caCYjEMZTvgm0boLvl/wk3YcEzETuuO8yZU/0WofGin8X+OavxScOoxkN4Va6VqYnVS1LMbo4l3ekosl6/DrnFmPAQn6D5GAqVTwN93y8bZe1fqg+U6lkEngUy2zLM60MVwCZUOJcgJXAOjt8sF4tEXGFsDSQ+itCi7DiNi1Tzdp3xO8435SBtIki8jIv7WIJSR0Jk+Hkf/OtXXoc3j0tg/mvHPk9Z4aSYB7OpooX07Ct2Io4+s7LAN7rYyISQ5WryXa96/KtLsxAFUs+h+vohf68IvUHvmEd92f4beQtXHgfg27bBB4bvl2gPQBxfYvhDhmR/zZBW1G8MeeK6EhHJ3ZBonAOMWlxc6Zm32KQfocAy+QGqZ42ZZyvZawqkGR8/+dH6HiKVLthUJ748I+jDmnlj8uysjXhhTI5H8qUDduAo6uSxgXJ82yMirHBgDTMaAGIkNXi9VG13Ml9QqGQt8YJu2oH7hqKpm5bvKBRad4oyB/Qw8+fnXr1nBN81icg/hT6nrJGECp4Z6JNrEMrGn/4lJmeoL81+Sig7+Jg0X42P+scVwJVICr73gciB5NVCgtaUn2wH9nYBMRO41yycB+Bx/TjQ8R0yv0QZq61UC7eOecy/phNkG9Nv9Phy3KIFXzKjaK+rJHmLUl/9+Syn4XhqSwum01ABVuqo/Lpj3WOeKD9LF+hYIVu3EPAPiANgDrfnwP1O51MQONAgPiwZCpS26BmG6/NMs/FhgGAeClLnH3X3muoJv3UzxqLgqRrYXYTaQ1rCV5lOawbO6Hepht34uZ1YfINPvZu3dLXKQMInsw1Xgrb1j5tNx1Ou1QY2UwSL47Xsv7LR8ovRRm31HAtCGr0N1iNIbD4VUt/J5k0yH4nsvVRbZEplW/kwXRFQlXPs9e6qWmDKUmPlIvOTO4K+OWAGQEkYzBIi8E3XDzCvpBNurP8XSfXws/BoWphRFpPoaFB4CdVJm0LAp/OrS9OVd4bi5G2L6KE46VG5z5iw/iWD6A/uMZ9q29otw3OLOcwxeZX3dtEZCVbAlMeBaHYAOJJa2KxuD1DAja1Y2fw9iOCKw3mVOdHyStisbkIhlbmBOnU9kxowEZyNIZQuFXiak9DlcmD53c2FvaUSvihwk53m0lnAtl/lx063KSqUaJ9JOYMzKvAdPqBDCIQ3bzH8hup8CNkUiBAqjKpDa/bC+wFmq2vnLOmdBhtybHtoBW2P9zUNTZMJORP8cY8AyUDnM6oSIqTihEqxGhWEK6elSS5KQ9+231knaiiHJX/NbFGnekWhp9b9L8gq/XojrR91az3dNzf50SH7u5YgOC+TIcC6iWw9it7SsziRvevkN1lysiN19rlTyZ/QlbvERAIStQ4Qn7NEPbQ0gahCz3R5MHWvUhlAEercw0IWitThfrXiov56Rv8nhTya79HmFWP5H206jWaToTETZrWlNLVXzjxcAeTwx6aJtwa9rGeHHGnEwjtPMTPJKp7IwleA6OThen02SKVBBhIo8upB3ecy5m6JsN4P8yEjSL5zTpfX7dNzztfpzB4TKIa/ZmLriJmOm+WZGEbM/Rf7gx/WPM/TGn9QBnHjlR13qm8BvdZ0MW/BC5Yal+9b8qdfOp2cy5KeOxYR2s1S3y/SaNxG+hj7uui56RUF3qimCr7MwA/97VhMiToef1BLB+QGoZjEFu5Ui5JcyqvXlZ7+msVRq2iV458QfqWClXVRBWHNdw4L7LtwpXsLeOV/HziV3+YcGjMTYtcqW3ckNCkB7mY2ZGhpcf/qxC4SEVKz4ibQTEd0GEI7rAET6Qh1vdwAijefsnehSATwu7w2s7AwhNltn0pJbQXNFqce1D6YJk5lxvdn60uZc9hj1lW0lad9k7RopyV4IyCbyl+i0NQhacOxvKs14sskvucMXJPRuqxa8mXUgVFbYpNiTk1Uwiy4KgBRnvJIbGzd6NZFWCIr627S9sK8IQBRZzWtXEnTmWyd5Ex6PRYNuts2g2USNZnPHW9FH6bkLPenk8VBvqBZ70yOf4gJQXUaVXblmbcvfar/K61HPDRftzXN0lDadhKhV1Bk4x94kLr9mQFz4CC34zWIDKI+4pvvzbVW5AXv1VDDuEDEs9G82vob6B0znOxwFHR3G/Ponp+SlqX8Grj/z1bx5XhaEewakMCrnI4gyZ/T/55BGpmb/2ZW3/gOYsK1dJrcU4KLjEg7AZoS0IJ6UcF4LevvwiOwb5VNed9+6VrcBZ6gc0H9VKzsqq3FltKDqwda2x8/H53ynojVSYNKopeYyPq3Ndwxl1mMRyV5xeZdrZivQF/fXVX+jMqbR/P+qbbW3FYS5Q7jrRHqQm4NB1ioh1V0pxoMGtkM98kEMJT6ig92TpG75uno/Im4mU5ns3kj0zMaLvQJyJ1V8Izbyf1CNm5F7IpUpvCVZGIGf6KFETB+89AscTZ6teyK7VfoqlHl779z8gI77Rs81WBA5LSJrZ+4mK/toHg0dvRZjvNJCSc4pCRDOYhA1Y+7oVF2zWcF9Rb9LfS06iCi8Wh4GC8HIVZmTdJbq1ZlfVzJdCH6WrCMcBQI3hbDR6iGGsPBhK5BOpE62NRHpLX7hZSegypd7d+RzmqjgVA5HwjAlzCgRF26YHOeIIG27Y4LNqBLKHlaqz5ie9WSnpxaFme0w4NM7o2mbPj4bbnwCglUrgCJy0eFH77BGf7yeCEyWkDfGW3lGnuLxysmHUv2HE+hfs3TeFcYBKEqfGMR0pBQXEV1xDKkoHO1uLa8N8jAVBDhZthjZiJrEJeg0vdATd4SugrP5kKzwiOZR70VUd6y14s9S8GgyiZMpCiqoY9VGdv+vzDlssJy6XZzTSDnnJvCn38SwTfx1SX5QMs8HsVBADjlCkptVE0xYfi79AKIeXYikgqJVw0Ve+CLzcuEFATuTBdetrfwalWsYFEFBw465pQK12Sh8gHyu1IczOYnsaxjSPYHxS9APTLE3u0pShSrwy6mh8bTVWWuazszVFe2lVkAOGrOjah7kPQxl/Qay2ZqmGJN0RGxD4X5/Ttdtd0LOEvtIqki17/h77bM7bHWc9zPmeJHj0TH5bGthKvTqLQYhO3V/8VmxKJW6S67czcQAQmXayrNUzUke5R859kWl1FciB/byETiDMjUOs5+gGltgIZuFwcVRoCAYFO9yUv6bmWxVbemXH98VgvBOsSehnWLNNUL/ah163WDkxjYl33TKxxxhxegq4tsiuDQe11mksAwSukd2EbS4wK36bWW7J0RyVZ1Et7CU/55iMfaDmQTOwfUS5/8ExmdVGuGBJZakXqFy8A8DOsJ1S4XH5KWpTMznWjERdZVlhpdY91Mos12rAjRy3BPX8k5T7WE7CXviAO4R8uVEuZLi1jGK8oaJDR93H+3875cTaHUxwtGndO8iaFk2xbIMOt8KR9H42hogzKZ5E2Z51eAfvbFfK3oW+UQ9QhN5kLsgIScLI84/s9dRXM2we49vi8fD5tgA4OAmuFOq9+V7xA/GUKomjRqdPibGJk8qk61TyZt6aUCwUJKJuFlKGCyXpkVrhc2rXlkA6yPjce8QJW8PpncbNAACnCyr03ukipAp3rpLKxrbfapNIRuvU+pqrCrHJPPXr/P66ew8CcMra+KBozb/Q4MlWTFsq25gObs+kmGfcoZKZ7BapqkiX1tPx6PoktG72Z64agRSBAn+lRXyHl+OGlbdRY8DqWaI64vDqIwVMeKjZtaQEYxNHp9VDEXwydzuxaNudIt7Y5XwsleXKrqOAOtUqduIz/XNagNch2gXGkhiR6i14VHqMcgt/hrRP+ypsAAgbe7iupIwuDVLGVl2YKEfRYcGz+Z6rLOSbS78tW1pPx/1JSD0ks2bTZtQ9RytPeOizSiTNn35lLGDLo32Hgi8pc9vdwcWjCY6w76jY67exB2CFWzIo9ugu/BuA7/8leg844HrfEeAqmdsuLdzKQcsW/NGLp1O99akyJrBsUQmkdI0qP70ZfaPkRLYP8sTeXPElmLbV2SORo+PF0qJ2JvvANuOXN3+fzuxjz3cuKisHcZthO6P5+3dUrC9BJMrrkXXF4oynHOwiIPOyhJyu4GSK+oO3VGS2odPYlarXnQSTGgZReYLEyYmnLyWJ1rp67DPt+lDX19XQcBzJgs0GZTpBMb0b03o26loOoErBnTBiBEkbgeMzK41RHLu34uoCXwV0ZIHfeVFIWEWVAYeM1w7bmFmIHiHOrCsoS8COjnvJD92U04DJ7N8g2uO4jAqoDqLj3UUog6bS/ZX24wySA8RnyU9NTQYcXlHSx9ETmKeDkpjQycQA7yo5Ls2t0zm78kC7+BkX4yQOUZHMue1QDoU/Tz299/a7V7YQNzDhph596DTCUc/5ikfSK3tX1bMtM2Z0vCo6kVazuAnqtYddBFq+Zpr3IaT4gT5hstCWmlGfPaqLfwcCUgFxfsGwY5xx1M23iw9LZO+rqAb7zCigs9sgarhvc+y84YbTwYrHcc0TW0jbo7DtejTcUTLNJAeYhR2KG4MilC5LgvqGT05qHMRDjPg2kvzs7vLhiYJZwfuT+4tPhJKuCDfduWBjxylTebbN4SwWNPNI5epieSxl1apydaNdyTncXWbH1wwj2MnoMfYiy2cSCk2mhXVQ+i845Q6ZQZI17bWWDWu8NeapFjDKTrGODjHoYYm1bah+gP75d4YGB/FL9wHgkQdq/IHE8I95PLOmKWiyiI2lnX36xJkQCRzIhRCqsfXHXbJcyVUzV/j3OiNntmyPCuA+89I3s/XIcGrgMVnB4q9R8ESPQJbwr6iJCIey5M1khgVA4E+dGoHMPoMrCH6QUeLpLMdjW8hFwZwzgcSt8tKApSS95ebncA9603v4rKgc2VK0/p5HPaHtJqxzkhuAAjbf0fZ51lsHZoJkhI0mu8Gge7zXe6dVl+mC++56NOqFK4wF7Ar1pmLh0MsGU9ePXRulXmxfdtZFsoKHDiCdqWJRFQ2md0CaVFBxthklFgAiOw02IQEMr8F16YQKZtEJCTXp4VF0EhntO/1aBUXiK1alJMmNBXmS4fG13C0EEXEYlASf+UreIOcMytsuJcUyp0tAT7rbosvOIcCmGTRJV/hKRlBf9NKysl6WwNi+E74TLVwPKIQAZDcKC7JSu3dJGi0ERBjsIv7KZI9fnXVPazMnlNxiizgIm1WIAf/sLaN6oV+xmLLBz2yxiVNMLi2vqA07q+k6KwQUEExwskVbaEC5G5auL2AdCPhz2WX4PYTFIsNO9qBl9fCaaQOSSou/QiDGf2u4r4C+aI2gn4ofQGM+5IsJh/re7BjK6hGaPoD2jw5fQ+HfjcTYHCaB8j4zM5foo2cPVRXietkSzEymXigtuR+jyqGoijKc+wjVOS2/D4C9fLyYASIPKsJ2cRAFS200RY0xKbxQqr4FIp9A/cElF1MAwRHCursgcrfQDjmyu2rPavv4dPbIuNUjGi7LBKzFPp0p62LYbTGO9rqm64zOrf4cvACwFmPN6q1xDTQzLv+XE0UUM27QpcXFEuo89kIQgs0VMMfGOfvGhgwznc9ApvXFaRm9r8p7CcjKBNXFMV28WUcsGSQOgNHTUTEop/1XrRtQF1yEbfs9d3PsxRveotW6EXBFmHNoLAdgLQTBxiXNjWu9RQUPofpvyT/J5CHHhU3AhGmArVqYj2x69evb3zyxEFQVfP3ubBpp5Tw5ecjwfoIaV34arkppCX2lc/9KF4WJNwRHrqB8NYLzMMdeCbyGoVNWK/8lZrvtX1Lk3rojnfTnbaDkGmzF3qbA6ZpJ4DBn4pjY+jnuPyg3T2r2f3y1d07iPnCTWkfaiFsgKdBcbxpd0sBkZXb3Fhk3t5MFI7T/GOWi2cC3gDvvjYiE9Uiob40eNIEsdTfMPu9M3lKeTty3B71sbowqAfyC5jyPM0Rh3ohHyqNQt4no04cgUjxsojBS0sV2Bo790jDri1DbJhhw20K9ehLbl8s+NYXfTv9QnU0WjpoN7ltUD6EPDMytlKUREtSUFMIY1KE+dVAHoAVYQ04y4+cu23c72mT+KDtDZWsh7LjzA8k+VBHlDE7EUbHzzVJFmEL4zNpeJegHiga/64X6Kl0mp5J/OS1NJ/CwFInFn6weK5STf3VtJlA7t49/yeGvMWKkDju3L2idc4PBkc/51B9yfiJaz639dpo8KlbOJYlCuku1Jxc+O3z+UMo7MrUjqZ0H2HHwCEDxPCW2nX1tMtXP9fJCBLbtuTx/LVZUJsnJuMxBKjpgrR4t/QjHdYC9+xExlIbU71JYN2t1MSA1WM/YWt0fzabztdqRrW6P5+UtXEYp+7E4NeX9S4BG6LMcexd+fdH2A9j3eezYyCJ4IIvNQmei3hjSyoPWB2j3Nx/gGdHcxpre56H5Nqjksq7RdWZolpV72PuZ/BuhWJSj84dMNfL4TyQAwguYWK+LVw1iP0NzS6/Klubh8CrhSizddfsYxJRLvPwyZIOirfZjFYM3vGrcb1+mOa62keSSiPYD7quTngS/Q6LKl3iD2xhb3TL67Tpm0VXAOIABs=',
        encryptedHMAC = encryptedMsg.substring(0, 64),
        encryptedHTML = encryptedMsg.substring(64),
        decryptedHMAC = CryptoJS.HmacSHA256(encryptedHTML, CryptoJS.SHA256(passphrase).toString()).toString();

    if (decryptedHMAC !== encryptedHMAC) {
        alert('Bad passphrase!');
        return;
    }

    var plainHTML = CryptoJS.AES.decrypt(encryptedHTML, passphrase).toString(CryptoJS.enc.Utf8);

    document.write(plainHTML);
    document.close();
});

Let me break this down for you:

document.getElementById('staticrypt-form').addEventListener('submit', function(e) {});

This line is setting up the event listener for when the decryption form is submitted. This means when the form is submitted, whatever code is defined inside of function(e){} will run.

e.preventDefault();

This line isn't important but just prevents the browser from performing the default action when a form is submitted. If this wasn't included the page would likely refresh and not continue to run the code below.

var passphrase = document.getElementById('staticrypt-password').value;

This line reads the value you typed into the password box into a variable called passphrase. In our case this would hold the string "orbital" (assuming that is what you typed in).

encryptedMsg = '13ea059e2490f645da28f5f1529ca...'

I truncated this because it's a really long string but you can see the full string above. This is storing the fully encrypted passphrase and HTML of the congrats page.

encryptedHMAC = encryptedMsg.substring(0, 64);

This tells us that the first 64 characters of the encryptedMsg above represent the encrypted passphrase. This will be used to check if our passphrase is correct.

encryptedHTML = encryptedMsg.substring(64);

This tells us that the rest of the encrypted message is the actual HTML for the congrats page that contains the shard!

decryptedHMAC = CryptoJS.HmacSHA256(encryptedHTML, CryptoJS.SHA256(passphrase).toString()).toString();

Here we see that what I've been calling the "encrypted passphrase" is really the HMACSHA256 digest of the encrypted html using the sha256(passphrase). Essentially, if our passphrase is correct then the decryptedHMAC will equal the encryptedHMAC.

if (decryptedHMAC !== encryptedHMAC) {
  alert('Bad passphrase!');
  return;
}

Here we can see the check if the passphrase you provided was able to generate the encryptedHMAC. If the passphrase is not correct then the page will show you the error "Bad passphrase!"

var plainHTML = CryptoJS.AES.decrypt(encryptedHTML, passphrase).toString(CryptoJS.enc.Utf8);
document.write(plainHTML);
document.close();

If the passphrase is correct then it uses it to decrypt the encryptedHTML and then overwrites the page with the new HTML so you can see the congrats page!

After I saw this source code I realized because the check for whether or not the passphrase was correct was done locally I could brute force this using a dictionary attack. I also assumed the passphrases for k2 and k3 would be english words.

I quickly googled for a downloadable dictionary english word list and opened a new ruby script. A few minutes later I had this script:

require 'openssl'
require 'digest'

K1_encryptedHTML = "..."
K2_encryptedHTML = "..."
K3_encryptedHTML = "..."

K1_encryptedHMAC = "13ea059e2490f645da28f5f1529ca8095b1832ba95a0f3256b302ae58dca59af"
K2_encryptedHMAC = "2c5d8ae979d4dee1f33e7b3b11a8f57101e4c77e444d273dfc156f3f52a43934"
K3_encryptedHMAC = "e24b9cd8ba500e388252827e72f37b23e4c5eab209c36ce66bc3b71de45fdc4c"


File.foreach('words.txt') do | passphrase | 
  sha256Passphrase = Digest::SHA256.hexdigest(passphrase.strip.downcase)
  K1_decryptedHMAC = OpenSSL::HMAC.hexdigest('SHA256', sha256Passphrase, K1_encryptedHTML)
  K2_decryptedHMAC = OpenSSL::HMAC.hexdigest('SHA256', sha256Passphrase, K2_encryptedHTML)
  K3_decryptedHMAC = OpenSSL::HMAC.hexdigest('SHA256', sha256Passphrase, K3_encryptedHTML)
  
  if K1_decryptedHMAC.eql?(K1_encryptedHMAC)
    puts "Passphrase for K1 is #{passphrase}"
  end
  
  if K2_decryptedHMAC.eql?(K2_encryptedHMAC)
    puts "Passphrase for K2 is #{passphrase}"
  end
  
  if K3_decryptedHMAC.eql?(K3_encryptedHMAC)
    puts "Passphrase for K2 is #{passphrase}"
  end

end

Let me break it down section by section for you:

require 'openssl'
require 'digest'

Here we are just including ruby libraries that are useful working with crypto. They provide the ability to compute SHA256 and HMACSHA256 which we need for this problem.

K1_encryptedHTML = "..."
K2_encryptedHTML = "..."
K3_encryptedHTML = "..."

K1_encryptedHMAC = "13ea059e2490f645da28f5f1529ca8095b1832ba95a0f3256b302ae58dca59af"
K2_encryptedHMAC = "2c5d8ae979d4dee1f33e7b3b11a8f57101e4c77e444d273dfc156f3f52a43934"
K3_encryptedHMAC = "e24b9cd8ba500e388252827e72f37b23e4c5eab209c36ce66bc3b71de45fdc4c"

These are just storing the encrypted HTML and HMAC from each of the satoshistreasure.xyz decrypt pages source code.

File.foreach('words.txt') do | passphrase | 

This will loop over each word in my words.txt dictionary and assign each word to passphrase one at a time.

sha256Passphrase = Digest::SHA256.hexdigest(passphrase.strip.downcase)
K1_decryptedHMAC = OpenSSL::HMAC.hexdigest('SHA256', sha256Passphrase, K1_encryptedHTML)
K2_decryptedHMAC = OpenSSL::HMAC.hexdigest('SHA256', sha256Passphrase, K2_encryptedHTML)
K3_decryptedHMAC = OpenSSL::HMAC.hexdigest('SHA256', sha256Passphrase, K3_encryptedHTML)

This calculated the decrypted HMAC for all three puzzles from the current passphrase.

if K1_decryptedHMAC.eql?(K1_encryptedHMAC)
  puts "Passphrase for K1 is #{passphrase}"
end
  
if K2_decryptedHMAC.eql?(K2_encryptedHMAC)
  puts "Passphrase for K2 is #{passphrase}"
end
  
if K3_decryptedHMAC.eql?(K3_encryptedHMAC)
  puts "Passphrase for K3 is #{passphrase}"
end  

This did a quick check to see if the decrypted HMAC was equal to the encrypted HMAC. If this is true then we know the passphrase is the solution to the problem!

When I ran this scrypt in a few seconds it output:

Passphrase for K3 is blackhole
Passphrase for K2 is cosmos
Passphrase for K1 is orbital

I was shocked! That was easy :) . I checked each passphrase on the k2 and k3 decrypt pages to make sure they were correct. They were!

Hope this helps you understand how I was able to obtain three of the key shards in a few minutes. Please follow me on twitter @johncantrell97 for future #sastoshistreasure tips.

@SamSamskies

This comment has been minimized.

Copy link

commented Apr 16, 2019

Nice work! And thanks for documenting your process. 👏

@xavierfiechter

This comment has been minimized.

Copy link

commented Apr 16, 2019

👍

@davendrabear

This comment has been minimized.

Copy link

commented Apr 16, 2019

This is awesome - thank you for the thorough explanation.
I scanned the satoshistreasure site briefly and found this URL:
https://satoshistreasure.xyz/users/ - respond with a resource

Might just be for that e-mail subscriber list, might help out in the future ¯_(ツ)_/¯

@Tommixoft

This comment has been minimized.

Copy link

commented Apr 16, 2019

Pretty easy. Junior JS students could easy do that. But nice you shared it with less IT minded :D

@shanemelly

This comment has been minimized.

Copy link

commented Apr 16, 2019

Thanks so much for the documented process. Very glad I didn't take that flight to London now ;)

@MrPilotMan

This comment has been minimized.

Copy link

commented Apr 16, 2019

Do you have a link to the dictionary you used? I am having trouble finding one with "blackhole" in it.

@Pelpa87

This comment has been minimized.

Copy link

commented Apr 17, 2019

And what about the locations. Where did this WE code appeared. And what does this have to do with the satellites?

@paulrozehnal

This comment has been minimized.

Copy link

commented Apr 17, 2019

I'm interested in Original Wizard's [OW] notes at the end of the keys.

In K1 OW mentions M. Bascule, a great hunter....does anyone know who that is?
In K2 OW refers to - Agnes Von Zeller, The Forgotten Hunt: An Oral History. cursory search found nothing.
In K3 OW uses the same quote in K2.

@lukehutch

This comment has been minimized.

Copy link

commented Apr 17, 2019

Nice work!

Finding the API call to retrieve the Blockstream satellite message led me to this gist... https://api.blockstream.space/message/177

@pljspahn

This comment has been minimized.

Copy link

commented Apr 17, 2019

@davendrabear I wouldn't waste any time following that /users path.

I'd wager my share of the prize the website was built with the express-generator which automatically includes the /users route and generic response "respond with a resource".

var express = require('express');
var router = express.Router();

/* GET users listing. */
router.get('/', function(req, res, next) {
  res.send('respond with a resource');
});

module.exports = router;
@Pon13

This comment has been minimized.

Copy link

commented Apr 17, 2019

very nice !! thanks for the explanation !

@balibou

This comment has been minimized.

Copy link

commented Apr 17, 2019

Ahah nice job @johncantrell97 !

@rraallvv

This comment has been minimized.

Copy link

commented Apr 17, 2019

@johncantrell97 So, did you have to go in reverse with your DeLorean ?

@nicolasesprit

This comment has been minimized.

Copy link

commented Apr 17, 2019

Nice work ! Thanks

@rafaellaurindo

This comment has been minimized.

Copy link

commented Apr 17, 2019

Nice work! Thanks.

@C4G3J88

This comment has been minimized.

Copy link

commented Apr 17, 2019

How did you found the position of the QRcode?

@matthieuonfray

This comment has been minimized.

Copy link

commented Apr 17, 2019

Great job. Did the same trick by my side in JS. Took 1 minute to solve it. Ruby is faster.
Good hunt !

@rodalbert

This comment has been minimized.

Copy link

commented Apr 17, 2019

So nice ;)

@Yacarre

This comment has been minimized.

Copy link

commented Apr 17, 2019

Create a telegram group for this challenge,
So between all of us to be able to solve it, those who want to join are invited

https://t.me/Satoshis_Treasure

@lover33

This comment has been minimized.

Copy link

commented Apr 17, 2019

Incredible riddle! You have opened the gateways

@hunterford

This comment has been minimized.

Copy link

commented Apr 17, 2019

My name is Hunter, and I was creeped out that the website knew my name. Turns out everyone is a Hunter, i.e. key hunter.

@oicu8

This comment has been minimized.

Copy link

commented Apr 18, 2019

Amazing Work!!!! Looking forward to the next Adventure!!!!

@jagottsicher

This comment has been minimized.

Copy link

commented Apr 18, 2019

after finding k2 and k3 I had similar idea. Thanks for sharing your codes and inviews. This helps not only to to solve the riddle, but also to educate yourself for a deeper understanding of cryptology! Thanks!

@forrestblade

This comment has been minimized.

Copy link

commented Apr 18, 2019

https://api.blockstream.space/message/108

this URL can be incremented and you will receive downloads. Most of the time it has been text of news events for a certain day but there are also photos, and actually a link to this gist somewhere in the low 190's

I have no idea how this correlates with the challenge but I feel like something is here. If you look at the API documentation, it actually doesn't say anything about the /message/ end point. Curious what this API will do as the challenge plays out.

@bg002h

This comment has been minimized.

Copy link

commented Apr 18, 2019

Thank you for pushing the message over satellite! I wouldn’t have known otherwise!

@Kopher

This comment has been minimized.

Copy link

commented Apr 18, 2019

"The answer lies in your heart," the clue said. A metaphor, we all thought. But no -- there it was, inside my left ventricle, embroidered neatly in super-fine polymer. That's when I realized we were dealing with rift tech. That's when I got scared. (Agnes Von Zeller, The Forgotten Hunt: An Oral History)

@ghost

This comment has been minimized.

Copy link

commented Apr 18, 2019

Nice work dude!

@schonhans

This comment has been minimized.

Copy link

commented Apr 18, 2019

Ok,so now we need the next 397. ...out of 1000? Hmmm when is it going to count that we have 400!?
Thanks.

@shieguy

This comment has been minimized.

Copy link

commented Apr 18, 2019

I translated this to Python for those interested. Also included a resource that provides the wordlist that contains all 3 passwords.

https://github.com/shieguy/first/blob/master/treasurehunt123

@davendrabear

This comment has been minimized.

Copy link

commented Apr 18, 2019

https://satoshistreasure.xyz/ssss

This URL was found on the site, figured I'd post it here as this thread will be an important hub of information.

Edit: I wanted to also note from my previous comment, this URL now says "Not Found" instead of "respond with a resource", so something was definitely changed. Not that this will be important to solving the private key, just wanted to note this.
https://satoshistreasure.xyz/users/

@RumPyrat

This comment has been minimized.

Copy link

commented Apr 19, 2019

What a great read! Thanks so much for taking the time. I'm going to be following you on Twitter for sure. Is there any advice you can give to a guy who doesn't know how to code? How to get into this type of coding game? this stuff absolutely fascinates me.

@leckylao

This comment has been minimized.

Copy link

commented Apr 19, 2019

Hi @davendrabear, can I ask how did you find the ssss URL? That looks useful

@Vuksan

This comment has been minimized.

Copy link

commented Apr 20, 2019

Really nice documentation of the process.

@marcuskm

This comment has been minimized.

Copy link

commented Apr 20, 2019

Hi, i wanna try doing the thing myself to learn how it is done, where should i start? How do i input the code i have written?

@M4N0V3Y

This comment has been minimized.

Copy link

commented Apr 22, 2019

https://satoshistreasure.xyz/ssss is no longer available.
Key four has a different proccess to achieve. It was found few hours ago: I am posting the key here now, tomorrow I will detail something about.

ST-0004-9eeb558b5502a826d67b0bddb25f06fe4014d97aff40a5674e35b9dcc4e696b9a720e25f2ad8ae5b9b63b993dcf826258e65ae5b
They user Key 1 to achieve that ( the Gif animation of the rabbit has the clue embedded into the filé).

@M4N0V3Y

This comment has been minimized.

Copy link

commented Apr 22, 2019

I am back.
Leporine Key:

The link for Key 4 solution is:
https://www.magellan.world/post/key-004-leporine-key-will-be-released-soon

The link for Key 4 ( is not /k4) os:
https://satoshistreasure.xyz/6WskbAMc8U6m3B68DdHL2QQ822odpPG

The pass frase is:
a dim light illuminated the darkness, casting shadows on the walls and revealing a single key hanging from a thread in the middle of the vault

@yavwa

This comment has been minimized.

Copy link

commented Apr 22, 2019

anyone with the second key? The Bismuth Key. please share if you dot mind

@mguomanila

This comment has been minimized.

Copy link

commented Apr 22, 2019

you are a rockstar! bravo!!!

@suhailvs

This comment has been minimized.

Copy link

commented Apr 22, 2019

@M4N0V3Y It is sad that they removed https://satoshistreasure.xyz/ssss url.
did any body copy the contents in url https://satoshistreasure.xyz/ssss.
So I created a github page with solutions, so that if something removed urls this will helpful in future.

@marcuskm

This comment has been minimized.

Copy link

commented Apr 22, 2019

I have a copy of the content.
https://github.com/marcuskm/ssss/blob/master/Sathoshis%20Treasure%20ssss
Hope it works out

@M4N0V3Y

This comment has been minimized.

Copy link

commented Apr 22, 2019

Thank you @marcuskm, @suhailvs, thank you guys! Let's wait next clue (key).
I think that, for while, this key combination will not help too much. But we can extract some tips:

  1. The key prefix - ST-0XXX- is part of syntax for key combination
  2. it works offline

Sending again all four keys, it's clues and passwords:
@yavwa
K1 - The Jade Key
ST-0001-a36e904f9431ff6b18079881a20af2b3403b86b4a6bace5f3a6a47e945b95cce937c415bedaad6c86bb86b59f0b1d137442537a8
password: orbital
k2 - The Bismuth Key
ST-0002-708e558bec86c4222185c944e92b15d1c83298a7e0697682b8904371b506eae7216be45c662ce73710cf5247f4381b2971cf9014
password: cosmos
k3 -
Mamoru's Key
ST-0003-310c8cf65504794702b5d29f74aa8f5d7a2a68448d57732b8bc2278a8c6526ebb2820d41a9f809a56e8b542ec029ff20ff3f0d08
password: blackhole
k4 The Leporine Key
ST-0004-
9eeb558b5502a826d67b0bddb25f06fe4014d97aff40a5674e35b9dcc4e696b9a720e25f2ad8ae5b9b63b993dcf826258e65ae5b

passfrase: a dim light illuminated the darkness, casting shadows on the walls and revealing a single key hanging from a thread in the middle of the vault

I think now all we are in the same page. Now I have to go, I have work to do. Wen drop's some news please place here!
Bye,

@M4N0V3Y

This comment has been minimized.

Copy link

commented Apr 22, 2019

I am wondering... if they release ONE KEY per week, It will spend seven years to accomplish the hunt. It will be a quest!
So, I think it will evolve and some people will drop the stick along the road.
Well, this hunt can become a quest of about seven years. If yes, how long you think you can stand for that?

@suhailvs

This comment has been minimized.

Copy link

commented Apr 23, 2019

@marcuskm thanks. It worked. Here is the link

@marcuskm

This comment has been minimized.

Copy link

commented Apr 23, 2019

@M4N0V3Y maybe it will take seven years, but my guess is that there will be released more keys per hint, just like first time where there were released 3 keys.

@marcuskm

This comment has been minimized.

Copy link

commented Apr 23, 2019

Or realese keys with a hint till the next keys.

@M4N0V3Y

This comment has been minimized.

Copy link

commented Apr 23, 2019

Yeap. I think this First are the warming up for the hunt.

@julian05060506

This comment has been minimized.

Copy link

commented Apr 24, 2019

Maybe this is just a game, in order to attract more attention to the game sponsor or bitcoin, 7 years, no one knows whether bitcoin will still have value

@marcuskm

This comment has been minimized.

Copy link

commented Apr 24, 2019

Maybe this hunt is for creating attention, if it is, we will probably experience a higher pace of clues being given, a seven year race does not attract a lot of attention, at least not in the first 5 years. I dont know what intention the creators had when they created this, but my guess is that they would have loved this adventure in their own life, and now, they have the money and power, they have chosen to create it for the next generation.

@M4N0V3Y

This comment has been minimized.

Copy link

commented Apr 24, 2019

So, @marcuskm, seems that we will have a journey togeter ( for win or for play and have Fun) ;)

@marcuskm

This comment has been minimized.

Copy link

commented Apr 24, 2019

For the journey, for the things we are gonna learn, for fun and if we win i wont complain. For the hunt.

@yavwa

This comment has been minimized.

Copy link

commented Apr 24, 2019

DISCLAIMER: JUST MY THINKING, PLEASE DON'T HOLD ME ACCOUNTABLE HOW YOU INTERPRET IT.

Nobody will reward the winner. what if we already have all that's needed from the 4keys already out there?
**

K1 - The Jade Key, k2 - The Bismuth Key, k3 - Mamoru's Key & k4 - The Leporine Key

**
whats the relation between this four keys? age hierarchy or just randomly picked ?

@yavwa

This comment has been minimized.

Copy link

commented Apr 24, 2019

DISCLAIMER: JUST MY THINKING, PLEASE DON'T HOLD ME ACCOUNTABLE HOW YOU INTERPRET IT.

Nobody will reward the winner. what if we already have all that's needed from the 4keys already out there?
**

K1 - The Jade Key, k2 - The Bismuth Key, k3 - Mamoru's Key & k4 - The Leporine Key

**
whats the relation between this four keys? age hierarchy or just randomly picked ?

@M4N0V3Y

This comment has been minimized.

Copy link

commented Apr 24, 2019

@yavwa they are surely related to build the whole passphrase for the chest of treasure! (LOL) ... but I catch your thoughts, buddy.
If they can be combined to lead us to next clues... well, I can't bound Jade, Bismuth, Mamoru and Leporine yet for raise next clues by now. Maybe you are starting to walk through conspiracy theory about those keys (LOL) or maybe they are related and it's relation shall provide clue for other keys... hum, I think if worth to spend time wondering about if they are bound or not ( for generate new clues )... by now... Is it worth? too soon to tell.
Let's wait next key to be released, let's break it and try to feel if they are bound or not (for generate clue for other keys ).

@M4N0V3Y

This comment has been minimized.

Copy link

commented Apr 26, 2019

Next key - The Hunted Key ( coming soon).

@M4N0V3Y

This comment has been minimized.

Copy link

commented Apr 27, 2019

Guys. The main page changed. Now they are saying "... CLUES HERE FREQUENTLY,..." instead " ... CLUES HERE EVERY SUNDAY NOOM PST...". So, they may start publish more times than once a week from now on. I think they are reading stuff we post around in the web.... Let's see. The hunt is become more funny than before!

@amingilani

This comment has been minimized.

Copy link

commented Apr 29, 2019

Hey guys, please install the Wayback Machine or Achive.org's add-on and keep archiving the clue pages as you run into them. They keep removing stuff.

Also, the Hunter Key is out.

@amingilani

This comment has been minimized.

Copy link

commented Apr 29, 2019

Hey guys, please install the Wayback Machine or Achive.org's add-on and keep archiving the clue pages as you run into them. They keep removing stuff.

Also, the Hunter Key is out.

@marcuskm

This comment has been minimized.

Copy link

commented Apr 29, 2019

Yes, and the first person has been located.

@suhailvs

This comment has been minimized.

Copy link

commented Apr 30, 2019

Agent 1

https://www.facebook.com/jeffery.durand
Location: France, ask him for address
Book: stories of ibis (Japanese version)

@suhailvs

This comment has been minimized.

Copy link

commented May 26, 2019

i updated my page with clues: https://suhailvs.github.io/treasure

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.