The hackers, who targeted video game developer CD Projekt Red (CDPR) with a ransomware attack, are now auctioning off the stolen source code they obtained for a payday of potentially millions of dollars.
The breach, which CDPR only revealed yesterday after learning about it on Monday this week, involved critical game code related to high-profile releases such as The Witcher 3 and Cyberpunk 2077. CDPR said at the time that they did not intend to meet the hackers’ demands, even though it meant that stolen material from the hack began to circulate online.
It has now started to happen, it seems. Earlier today, leaks of potentially legitimate source code information began appearing on online forums, as mentioned on Twitter by the cyber security account vx-underground:
This first leak is believed to contain the source code of CDPR̵
But a cybersecurity firm called KELA, which specializes in providing threat information to companies based on analytics of dark websites and communities, says it has reason to believe the auctions are actually legitimate.
“We believe that this is a real auction of a real seller who has access to the data. The seller offers to use a guarantor, and he only allows those who have a deposit to participate – a tactic used by many sellers to show that they are serious and to ensure that no fraud will occur, says a spokesman for KELA. The Verge.
KELA says that threat information analyst Victoria Kivilevich was able to download some of the information given to him by a person who claimed to be involved in the auctions. Kivilevich thinks it’s real, and KELA shared screenshots with it The Verge of some of the file lists that allegedly show stolen source code for CDPR’s Red Engine, its internal game engine platform.
KELA says the auction offers source code files for both Red Engine and CDPR game releases, including The Witcher 3: Wild Hunt, Thronebreaker: The Witcher Tales spinoff, and the recently released Cyberpunk 2077. The stolen material is also assumed to contain internal documents, although it is not clear what types of documents or additional material the entire cache contains.
KELA says the starting price of the auction is $ 1 million, with higher bids in increments of $ 500,000 and a buy-it-now price of $ 7 million. Only users who deposit 0.1 bitcoin can participate, which is why Kivilevich believes hackers are serious about hosting the auction, and that the material for sale is probably legitimate because it ensures that no one participating in the auction is trying to scam the sellers.
Vx-underground also independently verified the price conditions for the auction after KELA had provided the information to The Verge, including screenshots claiming that it will take place tomorrow at 17:00 ET / 13:00 Moscow standard time and run to 48 hours after the last bid.
Update: An error occurred. They set a starting bid of $ 1kk. This was thought to be a $ 1,000 typo. They meant $ 1,000,000 dollars. They also sell immediately for $ 7,000,000.
Attached photos provided by @DrFurfagMD pic.twitter.com/JnOcwnGqZk
– vx-underground (@vxunderground) February 10, 2021
It is not clear if the leak from earlier today – which has already been removed from file upload sites like Mega and scrubbed from hacking forums and other websites – is in any way linked to the ransomware attack.