Cyberpunk and Witcher hackers claim they’ll auction off stolen source code for millions of dollars

The hackers who targeted video game developer CD Projekt Red (CDPR) with a ransomware attack are now auctioning off the stolen source code they acquired for a payday of potentially millions of dollars.

The breach, which CDPR first disclosed yesterday after learning of it on Monday of this week, involved critical game code related to high-profile releases like The Witcher 3 and Cyberpunk 2077. CDPR said at the time that it had no intention of meeting the hackers’ demands, even if that meant stolen material from the hack began circulating online.

That has now started to happen, it appears. Earlier today, leaks of potentially legitimate source code information started appearing on online forums, as noted on Twitter by the cybersecurity account vx-underground:

This initial leak is believed to include source code of the CDPR’s virtual card game Gwent, while vx-underground disclosed that auctions for the more valuable source code were happening on a hacking forum known as Exploit. We haven’t been able to verify that information, and CDPR has not responded to a request for comment.

But a cybersecurity firm called KELA, which specializes in providing threat intelligence to companies based on analyses of dark web websites and communities, says it has reason to believe the auctions are, in fact, legitimate.

“We do believe that this is a real auction by a real seller who accessed the data. The seller offers to use a guarantor and he allows only those who have a deposit to participate — a tactic that is used by many sellers to show that they are serious and to ensure that no scam will occur,” a spokesperson for KELA tells The Verge.

KELA says its threat intelligence analyst, Victoria Kivilevich, was able to download some of the information provided to him by an individual claiming to be involved with the auctions. Kivilevich believes it is genuine, and KELA shared screenshots with The Verge of some of the file lists allegedly showing off stolen source code of CDPR’s Red Engine, its in-house game engine platform.

Image: KELA

Image: KELA

KELA says the auction is offering source code files for both the Red Engine and CDPR game releases, including The Witcher 3: Wild Hunt, Thronebreaker: The Witcher Tales spinoff, and the recently released Cyberpunk 2077. The stolen material is also believed to include internal documents, though it’s not clear what types of documents or additional material the full cache includes.

KELA says the starting price of the auction is $1 million, with higher bids in increments of $500,000 and a buy-it-now price of $7 million. Only users who deposit 0.1 bitcoin can participate, which is why Kivilevich believes the hackers are serious about hosting the auction and that the material for sale is likely legitimate because it ensures nobody participating in the auction is trying to scam the sellers.

Vx-underground also independently verified the pricing terms of the auction after KELA had provided the information to The Verge, including screenshots alleging it’s to take place tomorrow at 5AM ET / 1PM Moscow Standard Time and run until 48 hours after the last bid.

It’s not clear whether the leak from earlier today — which has already been removed from file upload sites like Mega and scrubbed from hacking forums and other sites — is in any way associated with the ransomware attack.