It’s kind of obvious that they are cheating: 23,074,248th through 23,075,235th hexadecimal digits is approximately 500 bytes. Finding 500 exact bytes in a random sequence would take a very long expected sequence :-)
I guess I disagree that it's "cheating" - it's more like they're playing a game with no actual rules, and therefore applying rules that are most convenient for their purposes to achieve victory.
I find their methodology for evaluating candidate Waldos to be as sufficient as any other.
What I mean is, they could certainly choose a much harder evaluation criteria and fail, but that's not much of a blog.
In the target image, byte 0 is red, byte 1 is blue, byte 3 is red.
In the candidate stream, byte 0 is 4. The error is minimised if byte 2 is also 4. The values of the bytes don't matter, just the patterns of which bytes have the same value.
But they're not finding exact bytes, they're finding something that very vaguely looks like something very vague. It also helps a lot that it's a face and human brains are very good at identifying faces.
The number of 500 bytes that would "look like" waldo is a lot higher than 1.
They do explain what they do: https://kundor.github.io/Cheating-images/