Where's Waldo.jpeg

Sneak messages into JPEGs like a hacker, then bust yourself using both old-school math and AI that can spot even the sneakiest pixel shenanigans. 176FF3672E2185E8

Comment

Inspiration

We got hooked on the idea of digital hide and seek. The thought that you could stuff a secret message inside a totally normal looking photo, and then build the detective tools to catch yourself doing it, felt like the ultimate hacker challenge. It's spy movie stuff but with math and AI.

What it does

Where's Waldo.jpeg plays both sides of the steganography game. First, it sneaks text messages into JPEG images using JSteg, hiding data in the DCT coefficients so the image looks completely unchanged. Then it turns around and becomes the detective: upload any JPEG and our system analyzes DCT statistics using both classical algorithms (LSB patterns, mirror symmetry, pairwise equalization) and Gemini AI to figure out if someone's been messing with it. We hit around 90% accuracy with only 5% false positives on small payloads.

How we built it

We implemented JSteg for the embedding side, which tweaks the least significant bits of quantized DCT coefficients during compression. For detection, we built a hybrid pipeline: a classical analyzer extracts coefficient frequency distributions and runs statistical tests on the DCT domain, then passes those insights to Gemini 3 Pro Preview, which makes the final verdict on whether the image is clean or compromised. We tested everything on 10 megapixel images with 25 KB payloads, which works out to about 0.02 bits per pixel.

Challenges we ran into

Getting JSteg stealthy enough to avoid visual artifacts while still making our detector sensitive enough to catch it was a balancing act. Tuning the statistical thresholds to keep false positives low without missing real tampering took tons of trial and error. Integrating Gemini with our classical analysis also meant a lot of prompt engineering to get consistent predictions that actually made sense.

Accomplishments that we're proud of

Hitting 90% detection on such tiny payloads (0.02 bpp) feels like we actually found Waldo in a stadium full of people. We built something that works on both sides of the steganography war, which most tools don't even attempt. The fact that our hybrid approach (old school math plus AI) outperforms either method alone is pretty satisfying.

What we learned

DCT coefficients are way more revealing than they look. We learned that combining classical statistical analysis with modern AI creates something stronger than either approach solo. Also, steganography is all about the details: one wrong tweak and you either leave obvious fingerprints or your message gets corrupted. Prompt engineering for technical analysis turned out to be its own art form.

What's next for Where's Waldo.jpeg

We want to expand beyond JSteg to other steganography algorithms and test on different payload sizes. Adding support for other image formats and maybe even video would be wild. We're also thinking about building a browser extension that automatically scans images as you browse, because who knows what secrets are hiding in your memes. Long term, we'd love to see this become a real security tool for detecting data exfiltration.

Share this project:

Updates