The Encrypted Notes of Ricky McCormick

On June 30, 1999, the partially decomposed body of 41-year-old Ricky McCormick was discovered in a corn field in St. Charles County, Missouri. At first glance, the case appeared to be a grim but unremarkable homicide mystery: a man with health problems and a troubled background found dead far from home, with no obvious explanation for how he had arrived there.

The sheets

Yet investigators soon stumbled upon a detail that transformed the case into a cryptologic mystery. Hidden in McCormick’s trouser pockets were two handwritten sheets filled with strings of letters, numbers, dashes, and parentheses – notes that remain undeciphered to this day.

Ricky McCormick’s first encrypted note — Source: FBI

Ricky McCormick’s second encrypted note — Source: FBI

The discovery raised immediate questions. Were the notes encrypted messages? A personal shorthand? Random scribbles? Or perhaps instructions connected to a criminal activity? The text showed recurring combinations of capital letters, irregular formatting, and symbols that resisted conventional interpretation.

Ricky McCormick

McCormick himself added another layer of mystery. He had dropped out of school, reportedly struggled with literacy, and lived a precarious life in the St. Louis area. Family members later stated that he often wrote down strange-looking notes, although they strongly disputed the idea that he was capable of producing an elaborate secret code. His mother claimed that “the only thing he could write was his name,” while relatives suggested that his scribbles were closer to incomprehensible shorthand than deliberate encryption. The FBI, however, believed the notes could still contain meaningful information and treated them as potentially significant evidence.

The circumstances surrounding McCormick’s death only deepened the intrigue. He was last seen alive several days before his body was found, after visiting a hospital for ongoing respiratory problems. Investigators could not explain why he ended up in a rural area roughly fifteen miles from his residence, especially since he neither drove nor had easy access to transport to that location. Authorities were allegedly unable to determine a clear cause of death. As a result, both the homicide and the mysterious notes remained unresolved.

Publication

For more than a decade, the coded pages sat inside FBI files. Then, in March 2011, the agency made an unusual move: it released high-resolution images of the notes to the public and appealed for help. The FBI’s Cryptanalysis and Racketeering Records Unit (CRRU), assisted by outside experts including members of the American Cryptogram Association, had failed to crack the writing. Public codebreakers, amateur sleuths, and cryptography enthusiasts were invited to try their luck. The Bureau openly acknowledged that deciphering the text might reveal McCormick’s whereabouts shortly before his death – and perhaps even point toward a killer.

The response was immediate. Internet forums, cryptography communities, and amateur investigators proposed countless theories. Some interpreted the notes as geographic directions or drug-related instructions; others argued that the text represented a phonetic shorthand intelligible only to McCormick himself. Online discussions frequently return to one central question: was this actually a cipher at all? On forums devoted to mysteries and cryptanalysis, many commentators speculate that the writings may simply reflect an idiosyncratic personal notation rather than a deliberately concealed message.

Analysis

Here is a transcription of the first note:

(P1)
(MNDMUNEMRSE-N-STA-UNARE)  (AESM)
FRNENP?NSENPBSERCBBNSENPRSEINC
PRSE NMRSE OPREHLDULDNCBE(TFXLC TCXL NCBE)
AL-PRPPIT XLYPPIY NCBE MEKSEINCDRCBRNSEPRSE
WLD RCCBRNSE NT SSNENTXSE-CRSLE-CLTRSE WLD NCBE
ALWCP NCBETSMELRSERLSEURGLSNEASNWLDNCBE
(NOPFSE NLSRE NCBE) NTEGDDMNSENCURERCBRNE
(TENE TFRNE NCBRTSENCBE INC)
(FLRSE PQSE ONDE 71 NCBE)
(CDNSE PQSE ONSDE 74 NCBE)
(PRTSE PRSE ONREDE 75 NCBE)
(TF NBCMSPSOLEMRDELUSE TOTE WLDN WLDNCBE)
(194 WLD’S NCBE)(TRFXL)

This is the second note transcribed:

ALPNTE GLSE – SE RTE
VLSE MTSE-CTSE-WSE-FRTSE
PURTRSEONDRSEWLD NCBE
NWLDLRCMSP NEWLD STS MEXL
DULMT 6 TUNSE NCBEXE
(MUNSAISTEN MU NARSE)
KLSE-LRSTE-TRSE-TRSE-MKSEN-MRSE
(SAESNSE SE N MRSE)

NMNRCBRNSEPTE2PTEWSRCBKNSE
26 MLSE 74 SPRKSE 29KCNOB,OLE 175 RTRSE
35 GLE CLGSE UUNUTKEBKRSE PSESHLE
651 MTCSE HTLSE NCUTC TRQ NMRE
99.84.52 UNEPLSEUCRSEAOLTSENSKSENRSE
NSREONSE PUTSEWLD NCBE (3 XORL)

DNMSE NRSE 1N2 NTRLERC BANSENTSECRSNE
LSPNSENGSPSEMKSERBSGNCBENUXLR
MH CRE NMRE NCBE  1/2 MUNDDLSE
D-W-M-4 MPL XDRLX

The letters E, N, and S appear unusually often, while K, Q, X, and Z occur only rarely. This distribution appears broadly consistent with ordinary English. Such a pattern is consistent with a transposition cipher. Certain letter combinations recur with notable frequency: SE appears particularly often, while sequences such as WLD and NCBE are also repeated. No conventional cipher model has yet provided a satisfactory explanation.

Despite years of speculation, no consensus has emerged. The notes remain officially undeciphered, and McCormick’s death unsolved. Unlike many famous cryptograms, the puzzle offers no obvious key, no confirmed plaintext, and not even certainty that encryption is involved. More than twenty-five years after a dead man was found carrying two sheets of cryptic symbols, investigators and codebreakers alike still face the same unsettling possibility: the meaning may be hidden in plain sight – or perhaps lost forever.

Literature

Craig Bauer: Unsolved! The History and Mystery of the World’s Greatest Ciphers. Princeton University Press 2017

Back to Unsolved Crypto Mysteries

The Ohio cryptogram

On June 27, 1916, a man robbed the ticket counter of the Western Ohio Railway in Lima, Ohio. Brandishing a gun, he forced the ticket agent to hand over the contents of the safe, then fled with $265.

This ticket-counter robber left behind an encrypted message — Source: AI-generated

A few weeks later, the magazine Enigma, published by the National Puzzlers’ League, wrote:

The police department of Lima, O., is greatly puzzled over a cryptic message received in connection with the robbery of a Western Ohio ticket agent. Here it is: WAS NVKVAFT BY AAKAT TXPXSCK UPBK TXPHN OHAY YBTX CPT MXHG WAE SXFP ZAVFZ ACK THERE FIRST TXLK WEEK WAYX ZA WITH THX.

An encrypted message

This cipher and its accompanying true-crime story were uncovered by Dave Oranchak – one of the cryptanalysts behind the solution of a second Zodiac Killer case message – and later brought to wider attention by Nick Pelling on his Cipher Mysteries blog.

Nick identified two contemporaneous reports on the cryptogram in archived issues of the Lima Times Democrat. The ciphertext version printed there differs slightly from the one later published by the National Puzzlers’ League. Since the Enigma author likely relied on the newspaper account, the Lima Times Democrat version is the most reliable basis for analysis. Here it is:

Was nvlvaft by aakat txpxsck upbk txphn ohay ybtx cpt mxhg wae sxfp zavfz ack there first txlk week wayx za with thx

The Lima Times Democrat even published a solution of the cryptogram:

This solution of the Ohio cryptogram doesn’t make sense — Source: Lima Times Democrat

However, it is immediately clear that this solution is wrong. It is extremely unlikely that a monoalphabetic substitution cipher (MASC) produces half a dozen meaningful words (THERE, FIRST, WEEK, ….) within one or two encrypted sentences. Even if one applies the table only to the cryptic-looking words, no readable cleartext appears.

A bandit’s telegram?

It is not known to me what exactly the relationship between the cryptogram and the robbery is. The most likely explanation is that this message is a telegram. Telegraphy was quite popular in 1916, and encrypting a telegram was nothing unusual. Usually, a codebook was used for this purpose. In fact, the train station robbery cryptogram looks exactly like a codebook-encrypted message. The sender left a few less important words (WAS, BY, FIRST, THX, …) in the clear, while he looked up the others in a codebook.

If the train station robbery cryptogram really is a telegram it seems possible that the robber sent it immediately before or after the act. Perhaps, the telegraphy clerk informed the police after having realized that he had dealt with a criminal.

Here’s an example of a codebook page (alas, it’s not the one that was used for the train station robbery cryptogram):

Page of a codebook

Codebooks were not only used for encryption but also for shortening messages (as you see on the example page above, a codeword like EGEUZ may stand for a longer expression, like “not concerned in failure-s (of)”). For this reason, many codebooks were public and underwent no major changes for many years. If somebody wanted to use a public codebook for encryption, he often applied an additional cipher, for instance by adding the current date to every codeword used.

If the train station robbery cryptogram is actually codebook-encrypted I’m afraid, it can only be solved if somebody finds the codebook that was used.

Of course, it is not absolutely granted that the train station robbery cryptogram was encrypted with a codebook. Other encryption techniques used in the time of the First World War are possible, too.

In any case, solving this crypto mystery might shed some additional light on an unsolved crime, which happened over a century ago.

Literature

Klaus Schmeh: Codeknacker gegen Codemacher. 2007

John McVey’s codebook page

Satoshi Tomokiyo’s codebook page

Back to Ciphers and Crime

The Rabinowitz murder case

For many true-crime enthusiasts, the TV series Forensic Files is considered essential viewing. Among its most talked-about episodes is “Summer Obsession”, which examines the 1997 murder of young U.S. attorney Stefanie Rabinowitz. The investigation identified her husband, Craig Rabinowitz, as the perpetrator.

Craig and Stefanie Rabinowitz — Source: Ai-generated

Part of the case’s notoriety likely stemmed from the involvement of a stripper in the investigation. For us, however, the case is interesting for another reason: it highlights the role of racketeering records analysis in forensic investigation.

Click here to display content from YouTube.
Learn more in YouTube’s privacy policy.

Open "Medical Detectives Summer obsession" directly

Stefanie Rabinowitz appeared, at first glance, to have lost consciousness in the bathtub and drowned. However, the coroner became suspicious, and a pathologist later confirmed that Stefanie Rabinowitz had in fact been strangled. Only one suspect emerged: her husband, Craig Rabinowitz. He was arrested on the day of the funeral, as the evidence against him was overwhelming. Yet, the motive initially remained unclear.

At first glance, Craig Rabinowitz appeared to be a successful and affluent businessman. However, investigators discovered that his financial success was built on a fraudulent Ponzi-style scheme rather than legitimate business activities. During the investigation, it was revealed that Craig Rabinowitz was also involved in an extramarital affair with a stripper known as “Summer.”

As shown in the Forensic Files episode (starting around 10:25), law enforcement officers conducting a search of his residence uncovered detailed racketeering records (referred to as “ledger”) documenting his illegal financial operations. The forensic accounting specialist, Ricardo Zayas was commissioned to analyze these documents and help interpret the extent of the fraudulent activity.

Rabinowitz’s notes were divided into two columns: “Out” on the left and “In” on the right. The Out column detailed his debts, while the In column outlined the financial gains he stood to receive in the event of his wife’s death. In the Out column, entries listed a fixed amount—representing an investor’s contribution—alongside a percentage rate, apparently referring to interest. Rabinowitz had also used abbreviations to identify investors. “RAB” appeared to refer to his mother, while “J.S.” stood for his friend Jeffrey Solomon. Another recurring notation, “6600/MO,” indicated monthly payments of 6,600 U.S. dollars.

In the event of his wife’s death, Rabinowitz stood to receive $1,885,500 — Source: Ai-generated

In the television documentary mentioned, a section of the ledger is shown. It displays the In column. The image above (AI-generated) presents the content in greater clarity. The content reads:

F.C., 1,000,000
P.M. 500,000
ABA 360,000
F&B 10,000
Clock 7500
Car 6000
——-
1,885,500

Using Ken Englade’s book Everybody’s Best Friend, the note can be interpreted as follows: in the event of his wife’s death, Rabinowitz calculated that he would receive:

  • $1,000,000 from a life insurance policy with First Colony (F.C.)
  • $500,000 from a life insurance policy with Provident Mutual (P.M.)
  • $360,000 from a life insurance policy with New York Life, taken out through the American Bar Association (ABA), a U.S. professional organization for lawyers
  • $10,000 from a life insurance policy provided by Stefanie’s employer, Fineman & Bach (F&B)
  • $7,500 for a watch
  • $6,000 for Stefanie’s car

This means that, in the event of his wife’s death, Rabinowitz stood to receive $1,885,500. As early as the day after the murder, he pawned his wife’s jewelry at a pawn shop and received an additional sum of money that does not even appear to have been included in the calculation.

Ricardo Zayas’s report on his examination of the ledger was 70 pages long. Investigators concluded from it that Craig Rabinowitz’s motive was financial gain: by orchestrating his wife’s murder, he intended to collect the insurance payout, satisfy his investors, and retain remaining funds for himself and his lover.

The ledger was the only one piece of physical evidence tying Rabinowitz to his wife’s murder. It represented, in Rabinowitz’s own hand-writing, his motive for wanting to kill his wife. Craig Rabinowitz was ultimately convicted of murder and sentenced to life imprisonment without the possibility of parole.

Literature

Ken Englade: Everybody’s Best Friend. The shocking murder that exposed a devoted husband as a cold-hearted killer. St. Martin’s Press. 1999

Rebecca Reisner: Craig Rabinowitz’s Gratuitous Crime. Forensic Files Now. 2016

Back to Ciphers and Crime

Racketeering documents published by the CRRU

When dealing with criminal cases involving traditional encryption, sooner or later you’ll come across the CRRU, the FBI’s code-breaking unit. It has cracked quite a few tricky encryption schemes used by murderers, robbers, spies, and organized criminals. Unfortunately, the CRRU isn’t particularly forthcoming, which is why so little is known about its work.

The abbreviation CRRU stands for “Cryptanalysis and Racketeering Records Unit.” Most readers of this blog probably know what “cryptanalysis” means: it refers to the process of breaking codes. The term “racketeering record,” on the other hand, is less common. “Racketeering” is a collective term for illegal activities of all kinds – from drug trafficking and handling stolen goods to extortion. In this context, “record” does not refer to a personal best, but rather to a record or document. The “Cryptanalysis and Racketeering Records Unit” is thus a unit that deals with deciphering encrypted messages and analyzing records from illegal activities.

The starting point is that drug dealers, protection racketeers, pimps, loan sharks, operators of illegal gambling rings, and similar individuals must keep records of their business – unless they want to lose track of things. But it’s also clear that criminals don’t adhere to any accounting standards in this regard. On the contrary: they will try to design their documents so that an outsider cannot understand them.

Of course, a crook can use a computer and an encryption program for his racketeering records. We’ll set that aside for now. With handwritten records, an illegal businessman can employ various tricks:

  • He omits meaningful explanations, headings, and comments. In computer science, this would be called obfuscation.
  • He disguises the document as a phone list, restaurant bill, or something similar. This is a form of steganography.
  • He uses code words, replaces letters with symbols, scrambles numbers, or employs similar tricks. This is a form of cryptography.

It is clear that racketeering records play an important role for the police. That is why there are specialists – certainly not just at the CRRU – who analyze them.

While much has already been published about encrypted messages, very little can be found on racketeering records. A Google search for the term yields hardly any useful results.

Three examples from the CRRU website

After all, a few years ago I found three examples of racketeering records on the CRRU’s website at the time. The first one refers to a drug deal and is written on a restaurant notepad as a cover:

Source: FBI

The following note is an illegal betting slip, which is almost impossible for an outsider to recognize:

Source: FBI

And here is an illegal loan agreement, written on a form that was presumably printed for a jeweler:

Source: FBI

More CRRU examples

There are a few additional examples published by the CRRU in brochures or articles. In all cases, the subject is drug trafficking. Code words such as “NIEVE” or “VENTANA” are used, presumably referring to drugs:

Source: Analysis of Drug Trafficking Ledgers

Terms such as “grasa” and “Barrada” are also presumably code words referring to drugs:

Source: CRRU brochure

A Marijuana Bale List:

Source: Analysis of Drug Trafficking Ledgers

This example concerns drugs for which the weight is specified:

Source: Analysis of Drug Trafficking Ledgers

Das folgende ist eine Berechnung (23,000 – 9,000 = 14,000     – 13,000 = 1,000):

Source: Analysis of Drug Trafficking Ledgers

Ich wünschte, die CRRU würde mehr zu diesem Thema veröffentlichen, aber das tut sie nicht. Racketeering Records Analysis ist daher nach wie vor zu großen Teilen eine Geheimwissenschaft.

Literature

Analysis of Drug Trafficking Ledgers

CRRU brochure

Back to Ciphers and Crime

Daniel Dantas’s TrueCrypt-protected disks

Daniel Dantas is a Brazilian banker who came under investigation for alleged financial crimes in 2008. In July of that year, authorities seized several hard drives encrypted with the crypto software TrueCrypt.

The Brazilian National Institute of Criminology spent five months attempting to access the data without success before seeking assistance from the Federal Bureau of Investigation. Despite conducting dictionary attacks on the drives for over a year, the FBI was unable to decrypt their contents.

Dantas was ultimately convicted and sentenced to ten years in prison.

Literature

Finextra article
Daniel Dantas’s Wikipedia entry

Back to Ciphers and Crime

 

The Somerton Man and the Tamam Shud cryptogram

On November 30, 1948, an unknown man appeared at Somerton Beach, a stretch of coastline just outside the city of Adelaide, Australia. Despite the summer heat, he was dressed in a suit—something that, was not entirely uncommon in Australia at the time. The following morning, his body was found.

The Somerton Man

Soon, this person became known as the “Somerton Man.” At the time of his death, he was estimated to be between 40 and 45 years old. His appearance was well-groomed, his body fit, and his clothing of high quality. The Somerton Man carried no meaningful personal belongings—no identification documents, nothing that could reveal his identity. All labels had been carefully removed from his clothing.

The police were unable to identify the Somerton Man. No one seemed to be missing him. Nobody recognized the man, although his picture was shown in numerous newspapers, on many websites, and on television programs in Australia and elsewhere. Even the cause of death remained unclear. The circumstances suggested poisoning, although no trace of any toxin could be detected with the methods available at the time. It is possible that the Somerton Man took his own life—but murder or natural causes could not be ruled out either.

 

AI-generated pictures of the Somerton Man

A few weeks after his death, a suitcase was discovered in the luggage storage at Adelaide railway station. It appeared to belong to the deceased. However, its contents—consisting mainly of ordinary travel items—provided little help to investigators. At least one detail became clearer: the Somerton Man had been at the station. It is believed that he may have arrived in Adelaide on a night train. After leaving his suitcase in storage, he likely took a bus to Somerton Beach.

The Tamam Shud cryptogram

Several months after the death of the Somerton Man, investigators discovered another clue in the pocket of his trousers: a carefully folded slip of paper bearing the words “Tamam Shud.” Police quickly determined that the fragment had been torn from a copy of The Rubaiyat of Omar Khayyam by Edward FitzGerald. This 19th-century collection of poetry was, and still is, very popular in the English-speaking world.

The Somerton Man had this message (Tamam Shud cryptogram) in his possession, but threw it away before he died.

Following a public appeal, a witness came forward who had found a copy of the book. It had apparently been thrown through the open window of his parked car. The torn slip of paper found in the dead man’s pocket clearly originated from this very copy. On the inside of the back cover, investigators discovered a handwritten sequence of letters with no obvious meaning—possibly a coded message. It read as follows (with some letters not clearly identifiable):

MRGOABABD
MLIAOI
MTBIMPANETP
MLIABOAIAQC
ITTMTSAMSTGAB

To this day, the message, now known as the “Tamam Shud cryptogram,” remains a mystery. Was it meant to be found? After all, the book had been left in a place where it was almost certain to attract attention.

Analysis of the cryptogram

Numerous codebreaking experts and amateur cryptologists have examined the “Tamam Shud cryptogram.” So far, no one has been able to present a convincing solution. Could it be a—albeit very short—suicide note? Might it contain a clue pointing to a murderer? Or is it nothing more than meaningless scribbling?

In my view, the most plausible hypothesis is that the cryptogram consists of the initial letters of English words. This idea is supported by the distribution of letters, as demonstrated in 2009 by the Australian students Andrew Turnbull and Denley Bihari. Perhaps the abbreviated words form a sentence when expanded.

But what purpose would such a cryptogram serve? Many people write down initials as memory aids, for example when trying to memorize a text. Was the author of these lines attempting to memorize a poem? None of the verses in The Rubaiyat of Omar Khayyam match these initials, and no other poem fitting this pattern has been identified so far.

Some interesting observations come from the Austrian cryptology expert and author Peter Lichtenberger. Let us assume that the cryptogram consists of five lines (the crossed-out “X” is therefore disregarded). According to Lichtenberger, the first letter may simply be a scribble caused by a pen that did not initially work. After writing the first line, the author began a second, but then realized that more space was needed. He crossed it out and rewrote it further below (the second and fourth lines begin almost identically). The third line may have been derived in some way from the first, and the fifth from the fourth. Both the third and fifth lines also begin with what appears to be a scribble—perhaps because the writer paused to think, allowing the pen to dry slightly. But in what way were the third and fifth lines derived from the others? Was some form of encryption involved? No one knows.

Identification of the Somerton Man

In July 2022, the scientists Derek Abbott and Colleen Fitzpatrick announced that they had determined that the Somerton Man was Carl “Charles” Webb, an electrical engineer and instrument maker born on 16 November 1905, in Footscray, a suburb of Melbourne. Abbott claimed his DNA identification from strands of hair found in the plaster death mask made by South Australian Police in the late 1940s. Through investigative genetic genealogy, matches were found for descendants of two distant cousins of Webb, on both the paternal and the maternal side.

Unfortunately, nothing new has come to light about Carl Webb since this alledged identification. It remains unclear why nobody recognized Webb in the photograph of the Somerton Man, though this picture became very popular in Australia. There is no information explaining why Webb was in Adelaide, why he carried no identification, or how he died. No photograph of Carl Webb has ever been published, so it is not possible to check if he looked like the Somerton Man.

It is also unknown why Webb had the note later known as the Tamam Shud cryptogram in his possession and why he threw away a copy of The Rubaiyat of Omar Khayyam. Most of all, the Tamam Shud cryptogram remains unsolved.

Literature

Craig Bauer: Unsolved!: The History and Mystery of the World’s Greatest Ciphers from Ancient Egypt to Online Secret. Princeton University Press 2017

Gary Feltus: The Unknown Man: A Suspicious Death at Somerton Beach. Port Campbell Press 2017

Klaus Schmeh: Nicht zu knacken. Hanser 2012

Back to Ciphers and Crime

Velvalee Dickinson: The spy with the doll code

During the Second World War, mail in the United States was subject to strict censorship. Various types of content were not allowed to be sent, including children’s drawings, chess games, flower orders, and many other seemingly harmless pieces of information. The reason for these restrictions was the fear that spies might use such materials to transmit coded messages.

Five suspicious letters

In 1942, U.S. censors came across an unusual letter (“letter 1”). It was reportedly sent by a woman in Portland, Oregon, to someone in Buenos Aires, Argentina, but was returned because the recipient could not be identified. The letter mentioned a “wonderful doll hospital,” where the sender had left her three “Old English dolls” for repairs. It also referred to “fish nets” and “balloons.” To my regret, a scan of letter 1 has never been published.

FBI cryptographers examined the letter and concluded that the “three Old English dolls” in letter 1 stood for three warships and the doll hospital was a shipyard where repairs were made. They further concluded that the fishing nets referred to submarine nets protecting ports on the West Coast and that the reference to balloons was intended to convey information about other defense installations on the West Coast.

Shortly after, four more letters addressed to the same person in Buenos Aires began arriving at the homes of the ostensible senders with the notation, “Address Unknown.” The persons whose names had appeared on the envelopes as the senders stated that the signatures on the letters resembled theirs and that the letters contained correct information. The four denied, however, that they had sent any of the letters.

Letter 2 includes the phrase “Distroyed YOUR” and refers to a Mr. Shaw. The letter was written shortly after the destroyer Shaw had undergone repairs.

Another of these additional letters (“letter 2”), allegedly from a woman in Springfield, Ohio, had in fact been mailed from New York City. It included the phrase “Distroyed YOUR” and, within the same sentence, referred to a Mr. Shaw who had been ill but was expected to return to work soon. As it happened, the letter was written shortly after the destroyer Shaw was undergoing repairs at a West Coast shipyard and was due to rejoin the fleet in the near future. Letter 2 is shown in the figure above.

Another of the letters (“letter 3”), allegedly sent by a Colorado Springs, Colorado woman, was postmarked Oakland, California. It mentioned seven small dolls which the writer said she would attempt to make look as if they were “seven real Chinese Dolls”. This obviously referred to several warships, which had come into San Francisco Bay for repairs. I am not aware of a scan of letter 3.

Letter 4 mentions a Siamese temple dancer.

The Portland, Oregon woman, whose name had appeared as the writer of the first letter, submitted to the FBI a letter returned to her by the Post Office in August 1942 (“letter 4”, see figure above). It was postmarked Portland, Oregon. In the letter it said: “I just secured a lovely Siamese Temple Dancer, it had been damaged, that is tore in the middle. But it is now repaired and I like it very much. I could not get a mate for this Siam dancer, so I am redressing just a small plain ordinary doll into a second Siam doll…”

The FBI deciphered this as follows: “I just secured information of a fine aircraft carrier warship, it had been damaged, that is torpedoed in the middle. But it is now repaired and I like it very much. They could not get a mate for this so a plain ordinary warship is being converted into a second aircraft carrier…” This letter was written a few days after the aircraft carrier USS Saratoga had left Puget Sound for San Diego.

Letter 5 mentions a German bisque doll.

Still another letter was allegedly sent by a Spokane, Washington woman, this one carrying a Seattle, Washington postmark (“letter 5”). The letter mentioned a “German bisque doll,” dressed in a hula grass skirt, which was reported to be in Seattle for repairs scheduled for completion by the first week in February. It turned out that this doll stodd for a warship which had been damaged at Pearl Harbor. The vessel was in Puget Sound Navy Yard for repairs when the letter was written.

The conclusion reached by the FBI cryptanalysts was that a steganographic code was used in the letters, which attempted to convey information on ships of the U.S. Navy, their location, condition, and repair, with special emphasis on the damage of such vessels at Pearl Harbor.

Velvalee Dickinson (1893–1943) was a spy for Japan during World War II. She communicated with her handler using a steganographic code in which references to dolls concealed the true meaning of her messages.

Velvalee Dickinson

Through interviews with the four female recipients, the FBI was led to the doll dealer and collector Velvalee Dickinson. All four women knew Dickinson personally and had corresponded with her. As a result, the biographical details mentioned in the fraudulent letters were already familiar to her.

The location of Velvalee Dickinson’s doll shop in New York today

Velvalee Dickinson (1893–1943) operated a doll shop in New York, located at 718 Madison Avenue. She catered to wealthy collectors and enthusiasts interested in acquiring foreign, regional, and antique dolls. Her husband supported the business by managing its financial records, including transactions involving the sale of dolls to prominent individuals across the United States.

A newspaper ad published by Dickinson

Suspicion that Dickinson had authored the coded letters quickly intensified. Investigators discovered that she had been present in locations from which she could observe the ships referenced in the letters. Although Dickinson did not have access to classified information, details about naval vessels could still be gathered from observations made in and around naval ports.

Further evidence revealed that Dickinson maintained connections with Japanese individuals, and payments she had received from them were documented. At the time, Japan was at war with the United States and had a strong interest in obtaining military intelligence. It therefore appeared highly likely that Dickinson had been spying for Japan and relaying her findings to her handler through the disguised correspondence.

Based on the findings of the FBI’s investigation, agents arrested Velvalee Dickinson in January 1944. She was sentenced to ten years in prison and fined $10,000. Compared to other spies, Dickinson received a relatively lenient punishment. At the time, espionage on behalf of an enemy nation could carry the death penalty in the United States. Dickinson avoided this fate because she was not charged with espionage itself, but rather with violating wartime censorship regulations. She was released early in 1951. Under a different name, she later worked in a hospital and as a secretary. She died in 1980.

The code used by Dickinson

The steganographic code used by Velvalee Dickinson was most likely developed specifically for her by Japanese intelligence. Strictly speaking, it was a jargon code. In a jargon code, certain words or phrases carry a hidden meaning. In its simplest form, such a code may consist of just a single expression. For example, the word “hello” in a phone call could be used to signal, “I cannot speak privately right now; others are present in the room.” In practice, however, jargon codes can be far more elaborate and structured.

Jargon codes are relatively easy to construct and use. When designed carefully, they can also be quite secure. However, they lack flexibility, since all possible messages must be defined in advance. This limitation makes them less adaptable than letter-based forms of steganographic communication.

It was not unusual for spies to rely on codes specifically developed for their operations. Another well-known example is the cigar code used by Haicke Jansen and Willem Roos. The critical mistake made by Japanese intelligence lay not so much in the code itself, but in operational security: the recipient address in Argentina did not exist, causing Dickinson’s letters to be returned. Additionally, it was relatively easy for the Federal Bureau of Investigation (FBI) to identify the true sender of the fraudulent correspondence. With greater care and tradecraft, this exposure could likely have been avoided.

Literature

Klaus Schmeh: Versteckte Botschaften. Die faszinierende Geschichte der Steganografie. 2017

Velvalee Dickinson, the “Doll Woman”

Back to Ciphers and Crime

 

The Janssen and Roos spy case

A the center of that case were two German agents, Haicke Janssen and Willem Roos, who posed as Dutch cigar merchants when they entered Great Britain in 1915. They then visited several British port cities independently of one another, where they appeared to be doing brisk business and sent corresponding orders via telegram to the Netherlands.

 

Haicke Janssen (1885-1915)

In reality, however, the two were targeting British port facilities, where they were on the lookout for warships. The supposed cigar orders were disguised messages about the number of ships in a particular port. For example, if one of them ordered 10,000 Corona brand cigars to Portsmouth, this stood for 10 reconnaissance ships (cruisers) that he had spotted in the port facilities there. The recipient of these orders was a purported cigar company in the Netherlands, behind which the German intelligence service was operating.

Willem Roos (1882-1915)

However, the British monitored international mail during wartime. As a result, some censors were puzzled by the high number of orders—10,000 cigars was simply too many for a city like Portsmouth. They also noticed that all the orders came from cities with a military port. Janssen and Roos’s espionage mission therefore lasted only a few weeks before British intelligence caught on to them. The two were arrested and brought to trial. During the trial, several cigar experts testified that the brands in question did not even exist. In the end, both Germans were sentenced to death.

Literature

David Kahn: The Codebreakers. Scribner, 1996

Klaus Schmeh: Versteckte Botschaften. Dpunkt-Verlag, 2017

Back to Ciphers and Crime