Hackers Begin Sharing Internal CD Projekt Red Data Publicly

Earlier this week, Cyberpunk 2077 and Witcher 3 developer CD Projekt Red (CDPR) announced hackers had targeted the company and attempted to hold it to ransom. Now, someone in possession of the data has leaked at least some of it online publicly.

The news shows not only the risk that video game studios face from hackers, but also the continuing trend of hackers not only deploying ransomware to lock target machines for payment, but also threaten, and follow through with, the leaking of data.

"CD Projekt's Red ransomed data has been leaked online," the Twitter account vxunderground tweeted on Wednesday, along with a screenshot of folders that they said contained the source code for Gwent, a card game in the Witcher universe developed by CDPR.

Motherboard found an alleged copy of the data on a low level hacking and data trading forum and downloaded it for verification purposes. The data includes Gwent assets marked as being built with the Unity game engine; Gwent was made with that engine. The cache is also larger than a normal, legitimate download of Gwent from a game store, and the download contains assets related to multiple versions of the game. The download also includes what appear to be Testframework files, software game developers use to test applications.

The download also includes a note, which appears to be written by whoever leaked the files, that reads "next release is tomorrow."

Vxunderground said in a follow up tweet that the hackers are auctioning code for the Witcher 3 and Cyberpunk 2077 on another forum. A screenshot Vxunderground shared with Motherboard said the bidding started at "1kk $".

A CPDR spokesperson told Motherboard in an email "We are still actively investigating this incident and have no further comments to provide at this time."

On Monday, CDPR announced in a tweet the hack against the company, and included a screenshot of the ransom note left by the hackers.

"Your have been EPICALLY pwned!!" the note read. Beyond game source code, the note claimed the hackers also had "all of your documents relating to accounting, administration, legal, HR, investor relations and more!"

"If we will not come to an agreement, then your source codes will be sold or leaked online and your documents will be sent to our contacts in gaming journalism," the note added.

CDPR's statement at the time said "We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data." The company added that the hackers had successfully encrypted some devices on CDPR's network, but that the company had backups and begun restoring the data.

Emanuel Maiberg and Lorenzo Franceschi-Bicchierai contributed reporting.

Update: This piece has been updated to include a response from a CDPR spokesperson and a screenshot from Vxunderground clarifying details around the auction.

Subscribe to our cybersecurity podcast CYBER, here.