Data stolen from Polish studio CD Projekt Red in a cyber attack has reportedly been sold.
The data included the source code files forCD Projekt Red’s game development engine, RedEngine, and titles includingThe Witcher 3: Wild Hunt, an upcomingray-traced version of The Witcher 3, Thronebreaker: The Witcher Tales and the recently releasedCyberpunk 2077, according tovx-underground.
The data was originallyput up for auction on the dark webwith a starting price of $1 million and a buy now price of $7 million, but the seller pulled the lot, with the condition of no further distribution or selling, after receiving an outside offer which was deemed to be satisfactory, cyber intelligence firmKelareported.
The ransomware attack on CD Projekt Red was allegedly carried out by a group called HelloKitty, which is said to have posted the source code of CD Projekt Red’s Gwent card game online prior to the auction.
CD Projekt Red first revealed on Monday that it hadfallen victim to a targeted cyber attack. In a statement, the developer said some of its internal systems had been compromised and “certain data” stolen.
In an apparent ransom note published alongside the statement, the culprits claimed they had stolen source code for the aforementioned games as well as documents relating to the company’s accounting, legal, HR and more.
If CD Projekt Red did not “come to an agreement” with them within 48 hours, the culprits said they would sell or leak the content.
CD Projekt Red said it would not give in to the demands and that it had approached relevant authorities including law enforcement and IT forensic specialists.
“We are taking necessary steps to mitigate the consequences of such a release, in particular by approaching any parties that may be affected due to the breach,” it said.
Important Updatepic.twitter.com/PCEuhAJosR
“We are still investigating the incident, however at this time we can confirm that – best to our knowledge – the compromised systems did not contain any personal data of our players or users of our services.”
On Tuesday, the company also released astatementaddressed to its former employees, in which it claimed that, “as of this moment, we don’t possess evidence that any of your personal data was accessed.”
The cyber attack caps off a torrid few months forCD Projekt, which released the highly anticipated Cyberpunk 2077 in December 2020 witha host of technical problems, most notably on last-gen consoles, resulting inrefunds being offeredand the titlebeing pulled from the PlayStation Store.
The company is alsofacing class-action lawsuitsbrought against it by investors over Cyberpunk 2077’s troubled launch, who claim that the company misrepresented the title.
Last month CD Projekt’s co-founder and joint CEOMarcin Iwinski issued a public apologyfor Cyberpunk 2077’s troubled launch and outlined the company’s commitment to improving the game over the coming months via a series of performance-enhancing patches, which will be followed by DLC and a next-gen update later this year.
