Games with the Unknown: How Hacker Quests Work and Why They’re So Addictive
Curiosity is the key to mastery. An enthusiastic person is willing to put in the effort to keep finding answers and satisfy their thirst for knowledge. One way to harness the power of curiosity is through hacker quests. These sit at the intersection of Alternate Reality Games (ARGs) and CTF competitions, drawing participants in with an air of mystery. But they don’t just entertain—they also provide real-world skills.
What is an ARG?
If you haven’t heard of Alternate Reality Games (ARGs), here’s a quick rundown. Imagine a game that uses the real world as its platform. More accurately, it’s an interactive narrative with game elements. Coordinating their efforts (usually online), ARG participants search for clues and follow the trail of a story invented by the creators. Clues can appear on specially created websites or in real life: on posters, hidden flash drives, voicemail messages, and so on.
It’s a massive multiplayer puzzle that combines role-playing and computer games, investigative journalism, sci-fi, and mystery. The audience’s influence on the outcome is so significant that the story can take an unexpected turn, end early, or stop halfway through.
Today, millions of people around the world play commercial ARGs. The main driving forces are curiosity, a love of puzzles, an interest in cryptography, and the desire to test one’s own knowledge. If you make it to the end, you’ll be one of the lucky few.
There are many commercial ARGs. Some of the most famous include I Love Bees (part of the viral marketing campaign for Halo 2), Lost Experience and Find 815 (which promoted the TV show Lost), and the well-known Portal universe puzzle. For our topic, Cicada 3301 and the Mr. Robot ARG are especially relevant.
ARGs, CTFs, and CTF-Style Quests: What’s the Difference?
ARGs have spawned entire online communities, and their ranks keep growing. The infosec crowd has also embraced this trend, leading to a cross-pollination with another popular genre—Capture The Flag (CTF) competitions. The result is sometimes called a “deepweb puzzle,” and these can rival full-fledged ARGs in complexity.
These quests differ from ARGs in that they lack a marketing component, and from CTFs in that they lack strict organization. You can participate solo or in teams of any size, with no prizes, points, or even an end date.
But the lack of pre-formed teams doesn’t mean there’s no teamwork. Players often band together in communities to help each other solve tough puzzles—on forums, wikis, subreddits, imageboards, and group chats. For example, the subreddit r/ARG is dedicated to online puzzles. Anyone can share a new quest, contribute to ongoing ones, or learn from solved ARGs.
Reddit has become the go-to platform for these activities, with users often being the first to find obscure pages in the dark web. Russian netstalker communities have also stumbled upon unique quests not mentioned on Reddit, often discovered by chance while searching for new dark web links. Once found, the community unites to solve the piece of the larger online game. Sometimes, it’s unclear whether a web page is the beginning, middle, or end of the game.
The Sophie Quest
Let’s look at some CTF-style quests that caught our community’s attention for their complexity, originality, and execution. We’ll walk through one from start to finish, collecting a small toolkit of utilities along the way.
Part 1
It all starts as usual—someone finds a webpage belonging to Sophie. The homepage features a hex code, a yin-yang image, binary code at the bottom, and a strange melody called “whiterabbit” playing in the background.
The first thing any researcher should do is check the HTML source code. That’s where clues, developer comments, or links to the next level are often hidden. In this case, the developer console reveals a link to the author’s profile on BlackHatWorld and a hint: “Does only webpages have meta data?” Clearly, we need to look for metadata in the image.
Using Exif Regex or Metadata2go, we extract EXIF and XMP metadata. We learn the creator’s name is Sophie, she lives in Irkutsk, and the metadata’s “Source” field says “KGB”—a nod to rumors that intelligence agencies use ARGs to recruit talented players.
Next, we decode the hex code using any hex to text decoder. The output is readable text, but it’s a dead end—experienced players know that some puzzles are designed to mislead.
We use DirBuster to scan for hidden directories and find /server-status, which contains a link to the next part.
Part 2
The next page shows only a photo, with no explanation. In these quests, organizers prefer to keep things mysterious, often hosting them on .onion sites. Checking the page’s code reveals nothing, so we download the image (of Napoleon) and view it as text (in a hex editor or notepad). At the bottom, we find the key: recital. Using it as a filename, we get a working link to the next stage.
Part 3
The final page features a clock and a strange cipher. Inspecting the code, we see the clock is clickable, revealing another hint. Comparing the two images, we get the final cipher: LQCRJGLNPG. Using dCode, we decode it to wonderland.
This quest has long been solved, but the sites are still active. Rumor has it the quest was created to promote the BlackHatWorld forum.
Suspicious FTPs and Steganography
Once, while exploring the Onion network, I found an FTP server with a lone WAV file. Curious, I opened it in Audacity and checked the spectrogram, revealing hidden symbols: USI. I’ve seen these before, but their meaning remains a mystery.
On December 1, another similar FTP server was found with three images, all showing the number 1999 and the familiar USI symbols. I tried every possible approach, but nothing worked. This led me to use tools for finding hidden data in images, like Stegsolve (for pixel analysis) and Steghide (for embedding/extracting text with a passphrase). Using 1999USI as the password, I extracted a text file from each image, each encrypted differently: AER-256, Polybius square, and Base36.
Using online tools, I decrypted the texts and assembled three fragments of a .onion address. Visiting it led to another image and strange text. Steganography didn’t help with the third image. On Reddit, there’s a discussion where these USI images were posted among others, but their order and connection remain unclear. Due to the instability of Tor hosting, some links may be unavailable.
It seemed like the end, with no answer to the meaning of 1999USI. But that same day, I found another FTP server with six audio files. Audacity’s spectrogram revealed the numbers 1999.07.04. What happened on July 4, 1999? I still don’t know. The quest is likely lost with Daniel’s Hosting, and aside from a Reddit post, it’s not mentioned elsewhere. Not every puzzle you find online can be solved.
BioHazard and Cicada Imitations
You’ve probably heard of Cicada 3301—the famous, large-scale hacker quest whose organizers remain unknown. Its popularity and mystery have made it a target for imitation.
The original Cicada 3301 message appeared in January 2012 on 4chan: “We are looking for highly intelligent individuals. To find them, we have devised a test. There is a message hidden in this image. Find it, and it will lead you to us. We look forward to meeting the few that will make it all the way through. Good luck.” Signed: 3301.
Some people reached the end and, presumably, joined the group. But what Cicada 3301 is and what it does remains a mystery. You can read more in the article “The Cicada Mystery” from the May 2014 issue of “Hacker” magazine. Since then, Cicada has been silent—at least publicly.
On March 21, an unknown user sent several Morse code messages and a QR code image to the secinfosec Telegram chat. The messages were soon deleted, but not before being saved. The Morse code, when decoded, revealed a string that looked like a link. Applying a Caesar cipher, it became: VKFREEROULETEHTTPS://VAPP.COM.000WEBHOST. It turned out to be an ad, hidden behind two ciphers. This example shows how ARG themes have become embedded in online culture. Don’t fall for every “Cicada” you see!
Conclusion
We’ve explored a few puzzle quests and the techniques used to solve them. Cicada 3301 started this fascinating trend, and unsolved puzzles are still out there. Creating your own quests can be just as fun as solving them!
Both creators and players hone their skills in cryptography, steganography, and sometimes the most unexpected fields. Few things are as engaging as these games. For me, seeing a biohazard symbol in a random audio file’s spectrogram was priceless.
While knowing the right tools helps, sometimes they’re useless. I used to scan every dark web resource for hidden directories, but in ARGs and similar quests, erudition and creative thinking are far more valuable.