According to a ransom note left by the hackers, which was released by CD Projekt Red last week, the source code for the company’s games as well as accounting and financial information was stolen.
The hackers said that they would release the data publicly, citing contacts in gaming journalism, if the company did not come to an agreement within 48 hours.
CD Projekt Red declared that they had no intention of paying up or negotiating with the criminals. With the deadline since having passed, those responsible now look to be trying to profit from the hack via other means.
According to Vx-Underground, a Twitter account which reports on cybersecurity, a sample of the code was posted on dark web marketplace Exploit ahead of an auction for the full datasets.
The minimum bid was US$1 million, with bidding restricted to $500,000 increments and a ‘buy now’ price of $7 Million.
These reports were confirmed by cybersecurity firm KELA, which added that the data had sold outside of the auction on Thursday.
According to Fabian Wosar, CTO of anti-malware firm Emsisoft, the hack may be the work of a hacker collective known as HelloKitty, which was also believed to have hacked Brazilian energy firm CEMIG last year.
Cybercrime has grown exponentially over the course of the COVID-19 pandemic, as both criminals and their most vulnerable victims all find themselves working from home.
Ransomware, such as that which was used against CD Projekt Red, is one of the most lucrative resources available to cybercriminals, according to an April report by Europol.
Attacks involving ransomware have proliferated over the past 12 months, reflecting a growth in the number of cybercriminals providing their services for a fee.
These actors have not discriminated in their choice of targets, with such breaches being reported against critical healthcare infrastructure already overwhelmed by the conditions brought on by the pandemic.
The recent hack and subsequent auction comes at a turbulent time for CD Projekt Red.
In December 2020, a U.S lawsuit was opened against the Polish company accusing them of securities fraud, citing the controversy over their latest release, Cyberpunk 2077.
The game, hotly anticipated for years, garnered eight million pre-orders before it was released on December 10.
However, despite the company’s claim that the new title was compatible with both new-generation and older gaming systems, customers using older systems widely complained of serious glitches and software crashes while playing the game.
Many complained it was all but ‘unplayable’, leaving millions having paid for an effectively unusable product.
The lawsuit alleges that the company not only lied to customers about the compatibility of its new title with older systems, but also that it misled investors, who saw the value of their shares in the company drop nearly 50% after the game’s release.