The source code to Counter-Strike: Global Offensive and Team Fortress 2 has leaked online, causing mass panic about possible hacking attempts on players.
It appears the leaked code originated on 4Chan via a thread. The post stated the following, along with a torrent link.
“A couple valve-community related items relating to leaks that have happened in the past and a unreleased source mod are contained inside this torrent. CSGO source code as of Operation Hydra and TF2 code as of Jungle Inferno are inside. Release purpose is to further the interests of those that want to garner possible use out of these files, rather than them sitting on a dying harddrive.”
Editor’s Note: While we have found an archive of this thread we will not share it, as we would be liable for sharing sensitive data that could be used for malicious intent. Please find a redacted screenshot of the archive here.
The validity of these files were later confirmed by Steam Database (a third-party group dedicated to monitoring changes on Steam’s databases). Even prior to its confirmation, many organizers of fan-made Team Fortress 2 and Counter-Strike: Global Offensive servers and other gamers began to warn each other of the threat this posed [1, 2, 3, 4, 5, 6, 7].
They universally recommended not playing the game until the matter was resolved. Alongside an increased presence in cheats and hacks, some feared it would lead to more malicious hacks; such as accessing a user’s inventory and deleting all their items, or even accessing files on their computer. A code injection and/or remote code execution exploit is also allegedly publicly available.
We have also heard unconfirmed reports of the motive behind the leak. Tyler McVicker runs the YouTube channel ValveNewsNetwork, dedicated to cut content from Team Fortress 2. He, along with another unknown individual (who we shall call “the Leaker” for clarity), allegedly had obtained the source code much earlier.
It seems the Leaker being kicked from McVicker’s online friend group on a social media or chat platform caused them to leak the information online. This was allegedly due to the Leaker making inappropriate comments to a transgender member of the group.
The torrent also allegedly contained this transcript of chatlogs between McVicker and “Cephalon Cephalon.” Therein Cephalon talks as though he is a Valve employee. While lengthy, nothing proves the transcript’s validity. The pastebin was created on April 22nd, thereby making “predictions” of then future Valve plans less impressive.
Twitter user “JaycieErysdren” claimed on Twitter (and possibly Discord) the Leaker was part of the “Lever Softworks” group (along with themselves), and was kicked from the Discord server due to “problematic behavior including racism, homophobia and transphobia.” While not guaranteed, JaycieErysdren may be the transgender person the unknown individual made inappropriate comments to.
She further claim the source code was originally distributed to “many people” in May 2018 “by a mentally unstable source who wanted to cause damage to Valve.” The content included the source code Counter-Strike: Global Offensive was from May 2017, and Team Fortress 2‘s source code from November 2017.
This would match the claims in the claims in the 4Chan post that claimed the content included up to Team Fortress 2‘s Jungle Inferno update (first released in October 2017), and Counter-Strike: Global Offensive‘s Operation Hydra update (first released in May 2017).
“While Tyler never had direct access to the code,” JaycieErysdren “many of his associates had access and datamined it for the purpose of providing interesting information and trivia.”
JaycieErysdren then discusses two alleged chatlogs. One with nothing to do with the leak (between Cephalon and “YSU Calc II”), and the other between McVicker and Cephalon (as written above). She claims this chatlog was “shared with several close friends, including the one who is responsible for this leak.”
The leaked torrent also allegedly contains an “F-STOP” build, an allegedly cancelled game by Valve (code-named F-STOP) that Lever Softworks were attempting to recreate via what data was available. “Since the leaker was in the Lever Softworks group, and was removed just yesterday for the aforementioned problematic behavior, their username and work is all over the build.”
McVicker denies being involved with the leaks, and has stated on Twitter that he “will be submitting all the evidence I have on the SrcCode leak to Valves legal department.” JaycieErysdren also stated McVicker would contact Valve’s legal department (though hours after McVicker stated it himself), and that “they are aware of the situation and will be handling it WITH Tyler’s assistance.”
While we cannot confirm how serious these leaks could be, we advise all our users to avoid online source-engine based games until there is an official statement from Valve. We have reached out to them for comment.