Notice: To display this embed please allow the use of Functional Cookies in Cookie Preferences.
Data stolen from Polish studio CD Projekt Red in a cyber attack has reportedly been sold.
The data included the source code files for CD Projekt Red’s game development engine, RedEngine, and titles including The Witcher 3: Wild Hunt, an upcoming ray-traced version of The Witcher 3, Thronebreaker: The Witcher Tales and the recently released Cyberpunk 2077, according to vx-underground.
The data was originally put up for auction on the dark web with a starting price of $1 million and a buy now price of $7 million, but the seller pulled the lot, with the condition of no further distribution or selling, after receiving an outside offer which was deemed to be satisfactory, cyber intelligence firm Kela reported.
The ransomware attack on CD Projekt Red was allegedly carried out by a group called HelloKitty, which is said to have posted the source code of CD Projekt Red’s Gwent card game online prior to the auction.
CD Projekt Red first revealed on Monday that it had fallen victim to a targeted cyber attack. In a statement, the developer said some of its internal systems had been compromised and “certain data” stolen.
In an apparent ransom note published alongside the statement, the culprits claimed they had stolen source code for the aforementioned games as well as documents relating to the company’s accounting, legal, HR and more.
If CD Projekt Red did not “come to an agreement” with them within 48 hours, the culprits said they would sell or leak the content.
CD Projekt Red said it would not give in to the demands and that it had approached relevant authorities including law enforcement and IT forensic specialists.
“We are taking necessary steps to mitigate the consequences of such a release, in particular by approaching any parties that may be affected due to the breach,” it said.
“We are still investigating the incident, however at this time we can confirm that – best to our knowledge – the compromised systems did not contain any personal data of our players or users of our services.”
On Tuesday, the company also released a statement addressed to its former employees, in which it claimed that, “as of this moment, we don’t possess evidence that any of your personal data was accessed.”
The cyber attack caps off a torrid few months for CD Projekt, which released the highly anticipated Cyberpunk 2077 in December 2020 with a host of technical problems, most notably on last-gen consoles, resulting in refunds being offered and the title being pulled from the PlayStation Store.
The company is also facing class-action lawsuits brought against it by investors over Cyberpunk 2077’s troubled launch, who claim that the company misrepresented the title.
Last month CD Projekt’s co-founder and joint CEO Marcin Iwinski issued a public apology for Cyberpunk 2077’s troubled launch and outlined the company’s commitment to improving the game over the coming months via a series of performance-enhancing patches, which will be followed by DLC and a next-gen update later this year.