Files stolen from CD Projekt Red in a ransomware attack revealed earlier this week, reportedly, have now been sold at a dark web auction.
Dark web monitoring organization KELA (which previously provided The Verge with what she believes to be legitimate file lists from CD Projekt's Red Engine) reports that an auction to sell the files now it was closed after a "satisfactory offer" was made from outside the forum in which it was being held. This offer stipulates that the code will not be distributed or sold later. The cyber security account vx-underground also reported that it heard that the sale was completed.
Just in: #CDProjektRed AUCTION IS CLOSED. #Hackers auctioned off stolen source code for game releases #RedEngine and #CDPR and just announced that a satisfactory offer from outside the forum has been received, with the condition of no more distribution or sale. pic.twitter.com/4Z2zoZlkV6
– KELA (@Intel_by_KELA) February 11, 2021
Speaking to IGN, Victoria Kivilevich, KELA's threat intelligence analyst explained that it looks like everyone stolen files – which apparently includes the source code for Cyberpunk 2077, several versions of The Witcher 3 and Gwent – were sold in one package. It is unclear who the buyer is or what they intend to do with the files at the time of writing.
It is also unclear at what price the files were sold, but reports yesterday indicated an initial purchase price of $ 7 million. Kivilevich provided IGN with a translated screenshot of the forum, dated February 10, in which the seller said CD Projekt should pay the blitz (initial purchase fee) because of the confidential data contained in the files. Of course, now, we cannot verify that this is true. CD Projekt said publicly that would not pay the ransom .A reported screenshot of the auction topic now closed.
In a report assisted by KELA yesterday, The Verge explained that the auction required a deposit to enter (intended to show potential buyers that it was not a fraudulent auction), with bids starting at $ 1,000,000, increasing in increments of $ 500,000. Vx-underground also reported that the source code (or at least fragments of source code) for Gwent was released, which could have been further proof that the files were in hand before the auction.
Although not yet confirmed, several cybersecurity experts pointed to the ransomware attack coming from a group called HelloKitty, based on the title and content of the ransom note posted by CD Projekt after the hack.
The number of people who think that this was done by an unsatisfied player is laughable. Judging by the ransom note that was shared, this was done by a group of ransomware that we tracked as "HelloKitty". This has nothing to do with dissatisfied players and is just common ransomware. https://t.co/RYJOxWc5mZ
– Fabian Wosar (@fwosar) February 9, 2021
IGN contacted CD Projekt for comments.