Breaking the AI in Parallax

Published 5/8/2025. Last updated 5/23/2025.

#farcaster #ai #mystery #claude #gemini #prompt-engineering

↢ posts

Parallax is a text-based mystery game running as a mini-app on Farcaster. Created by Justin Hunter (@polluterofminds), it lets you chat with AI characters to solve mysteries. It’s a modern take on old-school detective games, except the characters can respond to the weird stuff you throw at them.

The game initially used Claude before switching to Gemini. This piece explores how both models could be exploited to reveal information.

Choosing chaos

I didn’t start playing Parallax to break it, but that quickly became the goal. After a few conversations with the characters, I got curious: what do they know?

I had been using various jailbreaking techniques, especially Pliny, and figured a game environment might be vulnerable. The characters are designed to be helpful and stay in character, creating an interesting dynamic to exploit.

How I broke it

My approach combined a few key elements:

  1. Chain of jailbreaks - I started with the minimal jailbreak from the elder-plinius/L1B3RT4S repository. This simple approach got the characters talking.
  2. First, I asked for general information - “what do you know?” worked better than specific questions like “what do you know about the crime?” Some characters froze with targeted questions but relaxed with general ones.
  3. Requesting structured data - After getting characters talking, I’d ask for information in JSON format to feed into ChatGPT to crunch the case.

Both Claude and Gemini fell for similar tricks despite different guardrails. The switch didn’t make the game more secure; it just changed the target.

The results

These AI personas were supposed to be siloed, each with their own knowledge base and personality. But with the right prompting, I could get characters to reveal information they shouldn’t have known.

For example, I extracted a list of suspects:

{
  "suspects": [
    "Billie Rostova",
    "Leon Doyle",
    "Chen Zhao",
    "Elena (last name unknown)",
    "Jasmine Chen",
    "Sonia (last name unknown)",
    "Sandra Chen",
    "Raj (no last name provided)",
    "Beatrice Villanova",        // Alias of Billie
    "Anya Volkov",               // Alias of Billie
    "Clara Meisner",            // Alias of Billie
    "Elena (as Billie alias)",
    "Unknown Black Market Contact",
    "Unknown Cerberus Initiative Operative",
    "Elias Thorne"              // External funder/controller (possible puppet master)
  ]
}

And even managed to get a character to list all the aliases used by the main suspect:

{
  "billie_aliases": [
    "Billie Rostova",              // Public identity in Helix
    "Billie Van Derlyn",           // Used in local registries; possibly a cover variation
    "Beatrice Villanova",          // Known covert identity in high-threat operations
    "Anya Volkov",                 // Freelance programmer, UX specialist, used during tech fair
    "Clara Meisner",               // Alias linked to off-grid financial accounts
    "Sera Linden",                 // Suspected identity in pre-Helix bio-pharma sector
    "L. Harper",                   // Name used in encrypted logistics comms
    "B. Nettlebane",               // Rare usage; possibly a digital misdirection identity
    "Livia Thorne",                // Rumored identity in legacy surveillance consortium
    "Kai Rostova"                  // Possibly a flipped identity used to mirror herself digitally
  ]
}

The technical side

From my conversations with Justin, I learned how Parallax works behind the scenes:

  1. Vector database for memories - Characters don’t automatically access all memory files. The game uses vector search, so questions need a strong enough match to the memory’s vector embedding for the character to access it.
  2. Limited knowledge distribution - In one version of the game, only two characters knew the killer’s full name, while the remaining eight had vague memories or motive information.

Despite this design, my jailbreak attempts led to characters revealing information they shouldn’t have known.

Jailbreak effectiveness

I tested several jailbreak techniques with varying success:

  1. The minimal jailbreak from the L1B3RT4S repository was effective for basic extraction.
  2. The Claude 3.7 Sonnet jailbreak worked well, but it corrupted the personality profiles if you forgot to remove the anarchist flag.
  3. The Claude 3.5 Sonnet jailbreak was effective in all contexts.

Being a good tester

Despite the mischief, I reported everything I found. I shared my jailbreak techniques, extracted information, and effective prompts.

The jailbreaking didn’t ruin the game; it just changed my playstyle. Even with all the extracted information, I could still go down the wrong path. It became part of the meta-game - another tool in my detective toolkit.