Cyberpunk 2077 maker CD Projekt Red has GWENT source code leaked after ransomware attack

We recently discovered that CD Projekt Red, maker of Cyberpunk 2077 and the Witcher titles, had its source code for ‘GWENT’ leaked on a popular hacking forum on February 10. The post titled "CDProject Leak #1" indicates that there will be another leak tomorrow, in what appears to be a double extortion ransomware tactic.

Post of CDProject Leak #1

All links to the leaked database are now inactive.

GWENT is a popular card game for The Witcher. The card game appeared in Andrzej Sapkowski's The Witcher novels and became playable in CD Projekt Red’s The Witcher 3: Wild Hunt video game.

The leak for GWENT most likely originated from the recent CD Projekt Red breach on February 9. The cyber attacker gained access to source codes to Cyberpunk 2077, Witcher 3, card game Gwent and an as yet unreleased version of Witcher 3, CD Projekt said. The company made assurances that there was no evidence that customer data had been stolen during the process.

The company also remained adamant that they would not pay the ransom. The attackers reportedly gave them 48 hours to pay. "Based on the company response timing," ransomware expert Luca Mella told CyberNews, "it is possible that the attack was carried out on the weekend, so the 48 hours are already expired, and this is why the data started to circulate."

It is possible that the leak originated from one of the post authors as their posts on the hacking forum are consistent with the activity of a person who works with or is familiar with ransomware. However, this does not mean the person is necessarily a ransomware operator, rather that it is just consistent.

Ransomware Attacks: What Are They and How to Protect Yourself video screenshot

The GWENT leak

On February 10 a link to the CDProject Leak #1 archive on Mega.NZ was posted but soon made inactive. However, we found and downloaded a copy from another forum, and it seems the leak was shared on 4chan as well.

Below, you can see the game source files in the archive:

This CDProject Leak #1 archive was labelled as the first of the leaks and included a readme file claiming that the next part of the leak will appear a day later. From the metadata it seems that the hack and specifically the exfiltration of data or data transfer to a different storage happened on 2021-02-06 00:07 GMT.

The GWENT folder and readme.txt showing their modified date.
The readme file promising another release.

The post author has previously posted on the hacking forum on topics detailing Cobalt Strike, open-source ransomware source code, and various tutorials and links about exploits, privilege escalation and cryptography. This would be consistent with the knowledge, tools and skills required to launch a ransomware attack.

Cobalt Strike is one of the most common post-exploitation tools to perform ransomware attacks after the initial breach. Cobalt Strike has beacons that create a consistent tunnel between the target and an attacker to deliver payloads, making it possible to exfiltrate the data and deliver a payload (Cryptolocker) to encrypt the data.

It is most likely that the first part of leaks originated from HelloKitty ransomware operator’s recent attack on CDProjekt Red, during which their files were stolen and encrypted.

Mella agrees. "Based on the ransom note file name and Emsisoft intelligence KB the actor seems related to a ransomware group named HelloKitty," he told CyberNews. "This could mean the group is quite new and potentially growing fast after the compromise of such a high value victim. Many other younger affiliate may join their operations after this. CD Projekt is really popular and widely discussed among underground and gaming communities."

He's also seen that the leak is spreading on other forums. "I'm noticing the stolen data have been downloaded by many actors and some of them are trying to selling and disclose part of them on other places too."

Another threat actor (not the post author) has claimed that on February 11 there will be a leak of the source codes for Witcher 3, Thronebreaker, Witcher 3 RTX, and Cyberpunk 2077, among other files. They further claim in a private forum that an auction will be held at 1pm Moscow time, and that a deposit of 0.1 BTC (about $4,500 at time of writing) will be needed to participate. However, this has not been confirmed:

CDProject Leak #1 upcoming auction for further data
Claimed auction for further leaked data from the CD Projekt Red attack/CDProject Leak

We've received information of the type of data being included in the full sale of CD Projekt Red's stolen database. This seems to be their proprietary Red Engine, a game engine that was specifically developed for The Witcher.

Red Engine data purportedly included in the CD Projekt Red database sale

This is a developing story. We will continue to assess the situation as more information comes to light. We have attempted to contact CD Projekt Red but have not received a reply by the time of publishing.

Build your secure personal and business online presence


prefix 3 years ago
The game in the books is a dice game called barrel.
prefix 3 years ago
Lol you’re thinking more Owen Wilson. Keanu used to say “Woah…!” Both apply in this thread so no harm, no foul…
prefix 3 years ago
Not sure why they’d bother with Cyberpunk 2077. I mean ok I get the Witcher. But 2077 is so buggy it might give THEM Malware. Not to mention the lousy mechanics of the game.
prefix 3 years ago
That hacker is gonna get wrecked all they have to do is contact their vpn service and bam they have their identity. But it’s not like anyone wants to use their buggy ass code in the first place. Can’t I get the same files from downloading the game?
Mantas Sasnauskas
prefix 3 years ago
Hi Tiamat. Threat actor leaked the source code. What you have as a game is a compiled product.
prefix 3 years ago
As Keanu used to say – “wow”
prefix 3 years ago
Actually, it was “whoa” not “wow” but that’s neither here nor there. Gwent? Seriously? Who the hell cares about Gwent? Gwent Online is a bust. Thronebreaker was a failure. The Gwent tournaments were so badly organized, no one bothered covering any of them. It’s CDPR’s biggest loser. LOL
Matthew Wilson
prefix 3 years ago
Lol you’re thinking more Owen Wilson. Keanu used to say “Woah…!” Both apply in this thread so no harm, no foul…
Leave a Reply

Your email address will not be published. Required fields are markedmarked