It hasn’t been a very good pandemic for CD Projekt Red, and this week, things somehow got even worse for the Polish game publisher. After a disastrous release of the oft-delayed Cyberpunk 2077, the company was apparently hacked and had lots of sensitive data stolen, including the source code for games like Cyberpunk and its far more successful franchise, The Witcher.
CD Projekt Red's ransomed data has been leaked online. pic.twitter.com/T4Zzqfn78F
— vx-underground (@vxunderground) February 10, 2021
As Ars Technica laid out, hackers used ransomware to crack CD Projekt servers and take sensitive data, then offered it back to the company with the threat that if they didn’t pay up, they’d auction it off on the dark web. And that’s apparently exactly what happened after the company refused to pay.
VX Underground, which tracks ransomware and other malware attacks, noted on Wednesday that the ransomed source code had been posted on a dark Web forum known as EXPLOIT. The starting bid was reportedly $1 million, with a $500,000 bidding increment and $7 million “buy it now” price.
Cyber intelligence firm KELA confirmed the authenticity of that auction, telling The Verge that forum users needed to put up 0.1 BTC (roughly $4,700 as of this writing) to participate in the bidding as a sign that offers were legitimate. The sellers also reportedly provided file listings for Gwent and the Red Engine that underlies CDPR’s games as proof that the data was authentic.
Initial leaks of the data appear to be the Witcher-adjacent card game, Gwent. But as the auction continued other leaks appeared to be verified as coming from CD Projekt and containing information about The Witcher and Cyberpunk. And as of Thursday, the auction of the data appears to have been completed.
Update: we have confirmed the auction has closed. Someone has indeed purchased the material.
— vx-underground (@vxunderground) February 11, 2021
It kind of sounds like something that would happen in Cyberpunk, honestly, though there are some potential real-life consequences here. And CD Projekt acknowledged a security breach earlier in the week, so something did happen here that they say authorities are looking into.
To our ex employees: As of this moment, we don't possess evidence that any of your personal data was accessed. However, we still recommend caution (i.e. enabling fraud alerts). If you have questions, please write to our Privacy Team dpo[at]https://t.co/0UUMoqT5tF
— CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021
It’s more bad news in what’s been a troublesome few months for the publisher. One that, depending on who now owns their data, may get even worse.