Just a few days ago, the hunt for bitcoins worth a million dollars began, but one inventive hacker was already able to pass the first stage, spending a couple of minutes without leaving home.
Satoshi's Treasure is an alternate reality game that encourages players to team up to find clues hidden in real-world locations. From time to time tips are distributed through the newsletter.
The leaderboards closest to the prize are constantly broadcast in the game. There are 1000 pieces of private key in total; $ 1 million in bitcoins will be unlocked after the first 400 pieces are found.
Hints to the first three keys were distributed via the bitcoin satellite Blockstream on April 15. They had to make players look for QR codes hidden in San Francisco, London, Uganda, China and Australia.
Received a new message over@Blockstream Satellite. It appears to be a treasure hunt for $1,000,000 in #bitcoin, with included GPS coordinates for the first part of the hunt! ? ? this ? ? on!!! https://t.co/M4mKMbQ8KU
grubles (@notgrubles) April 15, 2019
Instead of running around the world, player John Cantrell completed the first stage by simply cracking that information.
To prove the result, he posted the work on GitHub and tweeted about it:
"I just explained how to get the first three pieces of the key in a few minutes."
— John Cantrell (@JohnCantrell97) April 16, 2019
Cantrell started by using a QR code found and downloaded by the same treasure hunter. Since this was the first clue, the rest was relatively simple - scanning provided the player with a key with a password included in the QR code itself.
"Then we had to wait until April 17 to get the keys to the following cities №2 and №3. But I didn't wait and rummaged in that information which was already available, - Cantrell wrote. - My rich experience of playing"Notpron"helped me in this.
Cantrell checked the source code of Satoshi's Treasure sites and found encrypted passwords for the next two keys.
"After I saw the source code, I realized that password validation could be done locally. As a result I carried out attack selection of words, - he added. - My conclusion was that the password for key number 2 and key number 3 will be English words".
To break the encryption, a Ruby script was used, which found the words necessary to unlock the 2nd and 3rd keys the day before their release.
In response to these reports, Davi Wen (Dovey Wan) of Wheatpond (one of the firms involved in the development of Satoshi's Treasure) wrote:
"That's right, we did it specifically to check the level of skills of players. The faster it happened, the faster the difficulty level increased."
For those who want to play Satoshi's Treasure as well as Cantrell, that is, without leaving the apartment, the full description of the technique is here.