Yesterday, news broke that hackers breached CyberPunk 2077 studio CD Project Red (CDPR). The hackers gave CDPR 48 hours to respond to their ransom demands, and it seems that time is already up. The group claiming to be behind the hack has now posted the source code of CD Projekt Red’s ‘Gwent’ card game on a hacking forum and claim to be auctioning off the source code for Witcher 3 and CyberPunk 2077 on the EXPLOIT forums with a starting bid of $1,000.
The hackers claim to have also obtained source files for Cyberpunk 2077, Gwent, and an unreleased version (probably for next-gen consoles) of The Witcher 3.
This is the source code to ‘Gwent’ card game. Witcher 3, CyberPunk 2077, etc is being auctioned today on EXPLOIT forums at a starting bid of $1,000USD.The ransomware authors said they will not be auctioning data anywhere else – any other location other than EXPLOIT is fake.February 10, 2021
As spotted by vx-underground, a well-known entity in the data security space, the data is already up for auction with a few sample bits of code available on the Exploit forum. The starting bid was set at $1,000 for the full cache, but it’s easy to imagine it will sell for a much higher price.
Meanwhile, the leaked Gwent files also appear to have made their way to a handful of other forums, including 4Chan, with the main download hosted on Mega. We found traces of the threads, but they have since already been removed and de-activated. As such, we are unable to confirm the validity of the leak.
Either way, it appears Mega, 4Chan, and other forums are actively working to ensure the Gwent code, which appears to be the first leak installment to take place, doesn’t end up in too many public hands.
Releasing the ransomed data in separate stages is a standard method to threaten the target. In this case, the hackers are using the tactic to remind CD Project Red that they are serious about the ransom.
However, it is important to note that, thus far, we have been unable to find the source files ourselves or confirm the original attack — all we have is CDPR’s word about the attack, along with traces and screenshots of the data cache. CDPR has remained defiant in the face of the ransom demands, saying it won’t cave into the demands.