CD Projekt Red confirmed that it had been hit by a “targeted cyber attack earlier this year. They stated that its internal systems were compromised and sensitive information was held to ransom. After CD Projekt Red did not give in to the group’s demands, the hackers announced that the source code for games such as Cyberpunk 2077 and an unreleased version of The Witcher 3 would be traded to the highest bidder. They also leaked the source code for Gwent.
The stolen data now appears to have resurfaced. As reported by security blog DataBreaches.net, a threat actor group decided to release the stolen data in order to advertise its new leaks platform. A note claiming the release of the stolen information is part of a “charity fundraising” effort from the hackers was also discovered by security software provider Emsisoft.
Source code folders for The Witcher 3, Thronebreaker, Cyberpunk 2077 and The Witcher 3’s re-release with ray tracing have been released in encrypted folders, with the group asking for a “donation” of $10k to unlock each folder. The note also allegedly stated that sensitive information such as CDPR data, company reports and NDA forms will not be leaked to the public, but will only be shown to the media. The data dump apparently also included unencrypted software development kits (SDKs) for the PS4, PS5, Nintendo Switch and Xbox X to prove the leak’s validity.
It is important to note that the passwords have now been given out or cracked for some of the folders, as some internal videos of Cyberpunk 2077 are being shared in private channels.
While the more serious elements of this leak such as the source code, SDKs and unreleased assets do not yet appear to be in common circulation, it’s likely only a matter of time before more of the stolen information pops up onto social media or forums. It’s also not clear why the stolen data is being released following the auction. The note did mention that the leak is in accordance with the buyer in exchange for a discount, so it’s feasible some form of timed-exclusive access was agreed with the buyer. The ransomware attack has already proved to be a nightmare for CD Projekt Red, with sensitive data compromised and developers at one point were left locked out of their workstations.