The hackers who targeted video game developer CD Projekt Red (CDPR) with a ransomware attack have auctioned off the stolen source code they acquired for a payday of potentially millions of dollars.
The breach, which CDPR first disclosed yesterday after learning of it on Monday of this week, involved critical game code related to high-profile releases like The Witcher 3 and Cyberpunk 2077. CDPR said at the time that it had no intention of meeting the hackers’ demands, even if that meant stolen material from the hack began circulating online.
That began happening shortly after. On Wednesday, leaks of potentially legitimate source code information started appearing on online forums, as noted on Twitter by the cybersecurity account vx-underground:
CD Projekt Red's ransomed data has been leaked online. pic.twitter.com/T4Zzqfn78F— vx-underground (@vxunderground) February 10, 2021
This initial leak was believed to include source code of the CDPR’s virtual card game Gwent, while vx-underground disclosed that auctions for the more valuable source code were happening on a hacking forum known as Exploit. We haven’t been able to verify that information, and CDPR has not responded to a request for comment.
But a cybersecurity firm called KELA, which specializes in providing threat intelligence to companies based on analyses of dark web websites and communities, said it had reason to believe the auctions are, in fact, legitimate.
“We do believe that this is a real auction by a real seller who accessed the data. The seller offers to use a guarantor and he allows only those who have a deposit to participate — a tactic that is used by many sellers to show that they are serious and to ensure that no scam will occur,” a spokesperson for KELA told The Verge.
KELA said its threat intelligence analyst, Victoria Kivilevich, was able to download some of the information provided to him by an individual claiming to be involved with the auctions. Kivilevich believes it is genuine, and KELA shared screenshots with The Verge of some of the file lists allegedly showing off stolen source code of CDPR’s Red Engine, its in-house game engine platform.
KELA said the auction offered source code files for CDPR game releases, including The Witcher 3: Wild Hunt, Thronebreaker: The Witcher Tales spinoff, and the recently released Cyberpunk 2077. The stolen material was also believed to include internal documents, though it’s not clear what types of documents or additional material the full cache includes.
KELA said the starting price of the auction was $1 million, with higher bids in increments of $500,000 and a buy-it-now price of $7 million. Only users who deposited 0.1 bitcoin can participate, which is why Kivilevich believed the hackers were serious about hosting the auction and that the material for sale was likely legitimate because it ensures nobody participating in the auction was able to easily scam the sellers.
Vx-underground also independently verified the pricing terms of the auction after KELA had provided the information to The Verge, including screenshots alleging the time of the auction and that it was to run until 48 hours after the last bid. It has now ended.
Update: a mistake was made. They stated starting bid $1kk. This was assumed as a typo for $1,000. They meant $1,000,000. They are also selling immediately for $7,000,000.— vx-underground (@vxunderground) February 10, 2021
Attached images supplied by @DrFurfagMD pic.twitter.com/JnOcwnGqZk
It’s not clear whether the leak from earlier today — which has already been removed from file upload sites like Mega and scrubbed from hacking forums and other sites — is in any way associated with the ransomware attack.
Update February 11th, 6:05PM ET: Added information regarding the end of the auction.