Hackers have successfully sold stolen CDPR source code and internal documents in a dark web auction

    
27

Earlier this week we reported on a breach of CD Projekt Red’s systems that resulted in a number of stolen pieces of data, including source code for Cyberpunk 2077, The Witcher 3, Gwent, and Thronebreaker, with the intent of ransoming off the ill-gotten gains. CDPR refused, and now the hackers have gotten their payday by way of a dark web auction that happened this past Wednesday.

Reports of this auction were shared by darknet intelligence company KELA Research and malware archive vx-underground, detailing the unfolding of events via Twitter threads. vx-underground first shared that an auction for game source data as well as internal documents was being held on the EXPLOIT forums with a starting bid of $1 million and a buyout price of $7 million. The next day, KELA confirmed that the auction was closed after the seller received “a satisfying offer from outside the forum.” No details of how much was paid have been shared, and the hacker stated that no further distribution or selling will be taking place as per the terms of the sale.

This, of course, will likely not stop CDPR from following through with bringing the perpetrators to justice, but it does confirm that whoever performed the hack got their money either way.

source: Twitter (1, 2, 3) via VG247
Advertisement

No posts to display

newest oldest most liked
Subscribe to:
Reader
duxxors

Let’s not forget this jarringly suspicious line. Oh right, shady darknet folks that handle stolen goods promised not to resell or distribute. I would definitely believe them.

No details of how much was paid have been shared, and the hacker stated that no further distribution or selling will be taking place as per the terms of the sale.

Reader
Kanbe

That was my first thought too.

Reader
Kickstarter Donor
Patreon Donor
Loyal Patron
zoward

This doesn’t pass the smell test. No one could actually use the source code for anything other than combing it for exploits, which wouldn’t justify a multi-million dollar price tag. CDPR wouldn’t buy it knowing that the hackers still have the source code and data, and can just dump it onto Pastebin at will.

I think the hackers tried and failed to shake down CDPR, and are trying to save face. The code and data has some value, but nowhere near what they’re claiming they got for it.

Reader
Rndomuser

Yea, it’s highly unlikely anyone will pay that much, even for exploits because most of those games are single-player and most people will just delete them after finishing them once (unless they suffer from amnesia). It’s most likely that the code was sold for much lower price.

Reader
Jack Tyme

There is so much you can do with the source code. Like creating variants of the games, even full blown variants with netcode etc. It would take extreme skill to do this, but it can be done.

Reader
Wollomby Rowsdower

It reminds me of some of the foreign developers that copy and paste code from other games into their games. Don’t other studios (or players) usually find out and see the code and sue?

Reader
Kickstarter Donor
Patreon Donor
Loyal Patron
zoward

That’s why I think the code is not worth the money they asked for. For a large developer, it’s too risky. Several open-source license violations have been spotted (and successfully sued for) in the wild because savvy devs can see a series of known small bugs in the code simultaneously manifest in other products. Or, a disgruntled ex-employee might turn whistleblower. A small, less-than scrupulous developer might take that risk, but they’re unlikely to have millions of dollars to spend on a code dump.

Reader
Dug From The Earth

A development team looking to make their own software could vastly benefit from source code from an engine that already does it every well.

Reader
Rndomuser

A development team looking to make their own software could vastly benefit from source code from an engine that already does it every well.

No sane developer would pay this insane price for a code to an engine from CDPR which scales very poorly across different hardware platforms (as evidenced by poor performance on last gen consoles), potentially has many more bugs and issues which are still unfixed and can put this developer in legal danger if someone will ever find out they paid for access to the stolen code. A sane game developer would rather pay to license something like Unreal Engine, which is much more scalable with better performance, is much more easier to use and to integrate with many existing third-party tools and plugins and will most likely cost less to license than the stolen code of unknown quality from CDPR.

Reader
Dug From The Earth

I wasnt referring to cyberpunk. I was mostly speaking of Witcher 3.

And it doesnt have to be a legit dev team. Plenty of dev groups in places like china that would easily try to pump out ill legit games with stolen source code to make a profit.

Reader
Tom De Laet

So I’m not an it engineer but wouldn’t it be possible to use the source code to find weaknesses that might be in the Cyberpunk online part? Which could in turn be used for data theft from online players? Again I don’t know just spitballing. The saving face definitely sounds more likely.

Reader
SmiteDoctor

What the hell happened to this company?

chosenone.jpg
Reader
Kickstarter Donor
Richard de Leon III

I really dont think they fell that far, they are the victim of a crime. As for cyberpunk’s crappy release, I wouldnt excuse them for the mistakes but Its no where near as bad as say Anthem’s crash and burn or EA’s Star Wars shenanigans.

Reader
Rndomuser

Same thing that happens to many other companies once they get past certain point of being rich and famous – the founders or owners shift their attention to other things not involving their company since they have plenty of money to spend on those things and let the company slowly destroy itself. Some destroy their companies in a different way, by selling it to bigger corporations which also don’t really care about properly managing it, but CDPR founders/owners did not choose this way.

That doesn’t happen to every company, of course, but this is what most likely happened to CDPR, especially seeing that they don’t even care to properly secure access to such information (by hiring more competent workers or treating them well enough so they would not consider doing something like giving access to company’s servers to some hacker group because they are not satisfied with the way CDPR treats them). That’s just my opinion about what happened to them.

Reader
SmiteDoctor

Poland isn’t exactly silicon valley, kind of limits your competent applicant pool.

Reader
dreamer

CDPR has a large international team.

MilitiaMasterV
Reader
MilitiaMasterV

Amazon has Cyberpunk for $10 off already. Take it down to $30, and I’d pay, even for the buggy mess. I’m desperate for something to play. :|

Reader
Jetra_Virsai

I like how people think CDPR is doing this for publicity. Pretty sure the last thing I want as a company is for this to be a “ha ha, y’all got fooled” after their game bombed harder than No Man’s Sky and Diablo Immortal combined. Anyone who still believes in the company would be shattered and kill off any goodwill worse than EA’s erosion has.

Feel bad for the devs and co. There’s nothing worse than kicking someone when they’re down even if they are a horrible person.

Maybe, I don’t know, even if it were Enemy No. 1, I personally would hate to throw them down stairs while they were recovering.

Reader
Armsman

I’m sure this is going to help them in their defense of their civil lawsuit… Oh wait…

Reader
Ironwu

Not really sure what use this data would be to anybody. Seemingly, it is not the full set of source for anything.

Except for C-2077, it is all old stuff anyway.

And why would anyone want the current code base of C-2077?

Reader
Bryan Correll

The “internal documents” might well be more valuable depending on what they contained.

Fisty
Reader
Fisty

Here is hoping we get better mods, that RTX Witcher 3 and unofficial patches. Most likely none of that. Could be CDPR. Could be another company hoping to release a clone. That’s a decent chunk of change to do nothing with.

Reader
Dug From The Earth

Makes me wonder if CDPR was this “mystery” buyer, despite them publicly saying they wouldnt bend to demands.

Reader
Tom316

Why would they do that.. The hacker(s) are going to keep a copy of the code and info regardless, so what would be the point of them buying there own stuff that they already have. There is nothing keeping the hacker from dumping all this open willy on the web anyways now that they have the money.

Reader
Dug From The Earth

If you read the agreement of the sale, you would see that the terms were
“no further sales or distribution” of the source code.

Meaning even IF they keep a copy, they agreed to not give it out or sell it.

CDPR’s main concern is their source getting put out there for others to see and use, beyond what has already happened.

Reader
Tom316

I am sorry but someone that illegally hacked into there computer system, took property that wasnt theres, and then blackmails them. How in the heck could you trust said person after all of that. Its there word and that isn’t worth the data on the computer. Besides once they bitcoins / payment was handed over how would you keep this unknown person from spilling the beans anyway? There is nothing known about this person and there never would be. Thats why they wanted a middleman.

Reader
Dug From The Earth

You may not believe it but “Ransomware” hackers happen all the time for large companies, and many of those companies pay big money to have their stuff “unlocked” again.

These hackers are in it for the money. Its in their best interest to make a legit sale so they can continue to make money. As soon as they start getting the rep that despite being paid off, they still screwed over the victims, no one would ever pay them money again.