The hackers who attacked the video game developer CD Projekt Red (CDPR) with a ransomware attack are now auctioning off the stolen source code they acquired for a potentially million dollar payday.
The breach, which CDPR first released yesterday after learning of it on Monday this week, involved a critical game code related to high profile releases like The Witcher 3 and Cyberpunk 2077. CDPR said at the time that it had no intention of meeting the hackers’ demands, even if it meant that the material stolen from the hack started circulating online.
This has now started to happen, it seems. Earlier today, leaks of potentially legitimate source code information began to appear on online forums, as noted on Twitter by the cybersecurity account vx-underground:
This initial leak is believed to include the source code for the CDPR virtual card game Gwent, while vx-underground revealed that auctions for the most valuable source code were taking place on a hacking forum known as Exploit. We were unable to verify this information and CDPR did not respond to a request for comment.
But a cybersecurity company called KELA, which specializes in providing threat intelligence to companies based on analysis of dark web sites and communities, says it has reason to believe that the auctions are, in fact, legitimate.
“We believe that this is a real auction conducted by a real seller who accessed the data. The seller offers to use a guarantor and allows only those who have a deposit to participate – a tactic used by many sellers to show that they are serious and to ensure that no fraud will occur, ”said a KELA spokesman. The Verge.
KELA says its threat intelligence analyst Victoria Kivilevich was able to download some of the information provided to him by an individual who claims to be involved in the auctions. Kivilevich believes it is genuine, and KELA shared screenshots with The Verge of some of the file lists allegedly displaying source code stolen from CDPR’s Red Engine, its internal game engine platform.
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/22295499/WhatsApp_Image_2021_02_10_at_14.12.09.jpeg)
Image: KELA
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/22295501/WhatsApp_Image_2021_02_10_at_14.12.10.jpeg)
Image: KELA
KELA says the auction is offering source code files for Red Engine and CDPR game releases, including The Witcher 3: Wild Hunt, Logbreaker: The Witcher Tales spinoff, and the recently launched Cyberpunk 2077. Stolen material is also believed to include internal documents, although it is unclear what types of documents or additional material the full cache includes.
KELA says the auction’s starting price is $ 1 million, with higher bids in increments of $ 500,000 and a buy price of $ 7 million now. Only users who deposit 0.1 bitcoin can participate, which is why Kivilevich believes that hackers are serious about hosting the auction and that the material for sale is probably legitimate because it ensures that no one participating in the auction is trying to trick sellers .
Vx-underground also independently verified the auction price terms after KELA provided the information for The Verge, including screenshots claiming it will happen tomorrow at 5:00 am ET / 1:00 pm Moscow standard time, and will run up to 48 hours after the last bid.
Update: an error has been made. They declared the initial bid of $ 1kk. This was considered a $ 1,000 typo. They meant $ 1,000,000. They are also being sold immediately for $ 7 million.
Attached images provided by @DrFurfagMD pic.twitter.com/JnOcwnGqZk
– vx-underground (@vxunderground) February 10, 2021
It is unclear whether today’s leak – which has already been removed from file upload sites like Mega and deleted from hacker forums and other sites – is in some way associated with the ransomware attack.