The hacked files from CD Projekt have reportedly been bought at an online auction, along with the GWENT source code being leaked.
As previously reported, CD Projekt announced they were the victim of a ransomware hack. This had been the third such case for a video games company in four months.
The hacker had gathered data, encrypted their system, and left a ransom note. They stated unless their demands were met within 48 hours, they would sell source codes for Cyberpunk 2077, GWENT: The Witcher Card Game, The Witcher 3: Wild Hunt, and an unreleased version of the latter. They also threatened to pass administrative documents onto journalists.
CD Projekt stated they will not give into the demands, even if it did lead to the data being released, and had begun to work with authorities. Now darknet intelligence group KELA have posted a screencap from a forum; allegedly the hacker confirming the Red Engine and source codes were successfully auctioned off.
While the post by KELA was made on February 11th (and the purchase could have pre-dated that), vx-underground posted on February 10th that the GWENT source code had leaked online . This was likely to prove the legitimacy of the rest of the files. Vx-underground describe themselves as “The largest collection of malware source code, samples, and papers on the internet.”
Vx-underground also claim the hacker made an erroneous initial offer of $1,000 USD on the EXPLOIT forums, later corrected to $1 million USD. Users could increase the bid at a minimum of $500,000 USD, or buy immediately for $7 million USD.
The post by KELA stated (translated from Russian) “An offer was received outside the forum that satisfied us. With the conditions of further non-distribution, in this regard, they were forced to withdraw the lot from sale.” The post shown by vx-underground also showed the auction starting time in Moscow time (MSK).
The unreleased Witcher 3 build was dubbed “Witcher 3 RTX”; and allegedly featured ray-tracing. The bidding post also mentions selling internal documents- as opposed to them going to journalists- along with “CD Projekt Red offenses.”
Cybernews reports the GWENT source code was leaked to “a popular hacking forum” on February 10th. They note that database links (such as Mega) had taken down the files, and while the user who posted on that forum had a history of discussing and had knowledge of ransomware; they may have just been sharing the information.
Ransomware expert Luca Mella told Cybernews that based on the ransom note and Emsisoft intelligence KB, the hacker was possibly related to hacker group “HelloKitty.”
“This could mean the group is quite new and potentially growing fast after the compromise of such a high value victim. Many other younger affiliate may join their operations after this. CD Projekt is really popular and widely discussed among underground and gaming communities.”
Mella also stated that the leaked data is spreading to other forums, and parts of the data being distributed or sold in other places. Another “threat actor” has also reportedly claimed that there will be a leak of the aforementioned source codes, and that those who participated in the original auction needed to deposit 0.1 bitcoin (an estimated $4,500 USD) to participate.
The situation bears comparison to the Capcom Ragnar Locker Ransomware hack and subsequent leaks [1, 2] of November 2020. Along with information on upcoming games (some of which seems to have come true) and politically correct business strategies.
The hackers also obtained employee personal information, HR information, and 350,000 items of customer and business partner personal information (none of which was credit card information).
Koei Tecmo Europe’s forums were also hacked in late December 2020. The hacker reportedly asked for Bitcoin, claimed Koei Tecmo had lackluster digital security, and failed to follow GDPR guidelines by not informing their users about the hack sooner.
Image: GWENT: The Witcher Card Game via Steam