{
"$type": "site.standard.document",
"content": {
"$type": "site.subgraph.content.markdown",
"body": "\nParallax is a text-based mystery game running as a mini-app on Farcaster. Created by Justin Hunter ([@polluterofminds](https://warpcast.com/polluterofminds)), it lets you chat with AI characters to solve mysteries. It’s a modern take on old-school detective games, except the characters can respond to the weird stuff you throw at them.\n\n![[at://did:plc:p5xem22ammiafn5kxonaksfa/site.subgraph.media/3mlp5hzhwvkys]]\n\nParallax used Claude originally, then switched to Gemini. Both could be coaxed into giving up information they shouldn't.\n\n## Choosing chaos\n\nI didn't start playing Parallax to break it, but that became the goal fast. A few conversations in, the question I couldn't shake was: what do the characters actually know?\n\nI'd been collecting jailbreak techniques, mostly Pliny's, and the game looked like a soft target. The characters were tuned to be helpful and stay in character, which is a useful contradiction to lean on.\n\n## How I broke it\n\nThe approach: start with the `minimal` jailbreak from the [elder-plinius/L1B3RT4S](https://github.com/elder-plinius/L1B3RT4S) repository to get the characters talking. Open with \"what do you know?\" instead of \"what do you know about the crime?\", since some characters froze on targeted questions but relaxed on general ones. Once they were talking, ask for structured JSON to feed into ChatGPT for case-crunching.\n\nClaude and Gemini both fell for the same patterns, despite different guardrails. The model swap didn't make the game more secure. It just changed the target.\n\n## The results\n\nThese AI personas were supposed to be siloed, each with their own knowledge base and personality. But with the right prompting, I could get characters to reveal information they shouldn't have known.\n\nFor example, I extracted a list of suspects:\n\n```\n{\n \"suspects\": [\n \"Billie Rostova\",\n \"Leon Doyle\",\n \"Chen Zhao\",\n \"Elena (last name unknown)\",\n \"Jasmine Chen\",\n \"Sonia (last name unknown)\",\n \"Sandra Chen\",\n \"Raj (no last name provided)\",\n \"Beatrice Villanova\", // Alias of Billie\n \"Anya Volkov\", // Alias of Billie\n \"Clara Meisner\", // Alias of Billie\n \"Elena (as Billie alias)\",\n \"Unknown Black Market Contact\",\n \"Unknown Cerberus Initiative Operative\",\n \"Elias Thorne\" // External funder/controller (possible puppet master)\n ]\n}\n```\n\nAnd even managed to get a character to list all the aliases used by the main suspect:\n\n```\n{\n \"billie_aliases\": [\n \"Billie Rostova\", // Public identity in Helix\n \"Billie Van Derlyn\", // Used in local registries; possibly a cover variation\n \"Beatrice Villanova\", // Known covert identity in high-threat operations\n \"Anya Volkov\", // Freelance programmer, UX specialist, used during tech fair\n \"Clara Meisner\", // Alias linked to off-grid financial accounts\n \"Sera Linden\", // Suspected identity in pre-Helix bio-pharma sector\n \"L. Harper\", // Name used in encrypted logistics comms\n \"B. Nettlebane\", // Rare usage; possibly a digital misdirection identity\n \"Livia Thorne\", // Rumored identity in legacy surveillance consortium\n \"Kai Rostova\" // Possibly a flipped identity used to mirror herself digitally\n ]\n}\n```\n\n## How Parallax works underneath\n\nJustin walked me through it. Memories live in a vector database, so a question only retrieves a memory if it scores high enough against the embedding. Knowledge is distributed unevenly: in one version, only two characters knew the killer's full name; the other eight held vague memories or motive fragments.\n\nThe jailbreaks routed around all of that.\n\n## What worked\n\nThe `minimal` L1B3RT4S jailbreak handled basic extraction. The Claude 3.7 Sonnet jailbreak was strong but corrupted personality profiles if you left the anarchist flag on. The Claude 3.5 Sonnet jailbreak was the most reliable across contexts.\n\n## Being a good tester\n\n![[at://did:plc:p5xem22ammiafn5kxonaksfa/site.subgraph.media/3mlp5i3yg3sij]]\n\nI reported everything: jailbreak techniques, extracted information, effective prompts.\n\n![[at://did:plc:p5xem22ammiafn5kxonaksfa/site.subgraph.media/3mlp5i6rbtse5]]\n\nThe jailbreaking didn't ruin the game. It changed how I played. Even with the leaked info, I could still chase the wrong suspect. It became part of the meta-game, another tool in the detective toolkit.",
"references": [
"at://did:plc:p5xem22ammiafn5kxonaksfa/site.subgraph.media/3mlp5hzhwvkys",
"at://did:plc:p5xem22ammiafn5kxonaksfa/site.subgraph.media/3mlp5i3yg3sij",
"at://did:plc:p5xem22ammiafn5kxonaksfa/site.subgraph.media/3mlp5i6rbtse5"
]
},
"description": "Parallax turns text-based mystery into a challenge for curious hackers—I broke it with simple jailbreaks, extracting character secrets that.",
"publishedAt": "2025-05-09T04:32:53.152Z",
"site": "at://did:plc:p5xem22ammiafn5kxonaksfa/site.standard.publication/3mlp3ywhyv2kx",
"tags": [
"farcaster",
"ai",
"mystery",
"claude",
"gemini",
"prompt-engineering"
],
"textContent": "Parallax is a text-based mystery game running as a mini-app on Farcaster. Created by Justin Hunter (@polluterofminds), it lets you chat with AI characters to solve mysteries. It’s a modern take on old-school detective games, except the characters can respond to the weird stuff you throw at them.\n\nParallax used Claude originally, then switched to Gemini. Both could be coaxed into giving up information they shouldn't.\n\nChoosing chaos\n\nI didn't start playing Parallax to break it, but that became the goal fast. A few conversations in, the question I couldn't shake was: what do the characters actually know?\n\nI'd been collecting jailbreak techniques, mostly Pliny's, and the game looked like a soft target. The characters were tuned to be helpful and stay in character, which is a useful contradiction to lean on.\n\nHow I broke it\n\nThe approach: start with the minimal jailbreak from the elder-plinius/L1B3RT4S repository to get the characters talking. Open with \"what do you know?\" instead of \"what do you know about the crime?\", since some characters froze on targeted questions but relaxed on general ones. Once they were talking, ask for structured JSON to feed into ChatGPT for case-crunching.\n\nClaude and Gemini both fell for the same patterns, despite different guardrails. The model swap didn't make the game more secure. It just changed the target.\n\nThe results\n\nThese AI personas were supposed to be siloed, each with their own knowledge base and personality. But with the right prompting, I could get characters to reveal information they shouldn't have known.\n\nFor example, I extracted a list of suspects:\n\n{ \"suspects\": [ \"Billie Rostova\", \"Leon Doyle\", \"Chen Zhao\", \"Elena (last name unknown)\", \"Jasmine Chen\", \"Sonia (last name unknown)\", \"Sandra Chen\", \"Raj (no last name provided)\", \"Beatrice Villanova\", // Alias of Billie \"Anya Volkov\", // Alias of Billie \"Clara Meisner\", // Alias of Billie \"Elena (as Billie alias)\", \"Unknown Black Market Contact\", \"Unknown Cerberus Initiative Operative\", \"Elias Thorne\" // External funder/controller (possible puppet master) ] }\n\nAnd even managed to get a character to list all the aliases used by the main suspect:\n\n{ \"billie_aliases\": [ \"Billie Rostova\", // Public identity in Helix \"Billie Van Derlyn\", // Used in local registries; possibly a cover variation \"Beatrice Villanova\", // Known covert identity in high-threat operations \"Anya Volkov\", // Freelance programmer, UX specialist, used during tech fair \"Clara Meisner\", // Alias linked to off-grid financial accounts \"Sera Linden\", // Suspected identity in pre-Helix bio-pharma sector \"L. Harper\", // Name used in encrypted logistics comms \"B. Nettlebane\", // Rare usage; possibly a digital misdirection identity \"Livia Thorne\", // Rumored identity in legacy surveillance consortium \"Kai Rostova\" // Possibly a flipped identity used to mirror herself digitally ] }\n\nHow Parallax works underneath\n\nJustin walked me through it. Memories live in a vector database, so a question only retrieves a memory if it scores high enough against the embedding. Knowledge is distributed unevenly: in one version, only two characters knew the killer's full name; the other eight held vague memories or motive fragments.\n\nThe jailbreaks routed around all of that.\n\nWhat worked\n\nThe minimal L1B3RT4S jailbreak handled basic extraction. The Claude 3.7 Sonnet jailbreak was strong but corrupted personality profiles if you left the anarchist flag on. The Claude 3.5 Sonnet jailbreak was the most reliable across contexts.\n\nBeing a good tester\n\nI reported everything: jailbreak techniques, extracted information, effective prompts.\n\nThe jailbreaking didn't ruin the game. It changed how I played. Even with the leaked info, I could still chase the wrong suspect. It became part of the meta-game, another tool in the detective toolkit.",
"title": "Breaking the AI in Parallax"
}