CD Projekt Red Hackers Reportedly Sold the 'Cyberpunk 2077' Source Code

The hackers behind this week's ransomware attack on Cyberpunk 2077 studio CD Projekt Red appear to have found a buyer for the stolen data. Engadget reports: They ran an auction on a hacking forum but, as The Verge notes, they shut it down after reportedly accepting an offer from elsewhere. The starting price for the auction was said to be $1 million and there was the option for an interested party with a spare $7 million to buy the data outright. It's not clear who has acquired the data, how much they paid for it or what they're planning to do with the information.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[JonnyCalcutta]

It wasn't actually sold, just licensed for use on one computer.

Re: Not to be resold

[e3m4n]

Stolen data has a terms of sale they expect to be honored?? In what universe do they expect to enforce? Honor among thieves?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[hey!]

Having money, or even being perceived as having a lot of money, cures most reputation problems, as the entire US recently learned.

Re:

[Cito]

Amen, the democrat party departed reality long long ago.

Try using the audio from a pirated telecined film

[Babel-17]

Try using the audio from a pirated telecined/cam film for your own pirated video, and then stand back in awe as the wrath of a chunk of the pirate community is brought down upon you. They will call you a thief with no sense of irony. I use "you" in the general sense, lol, I don't mean you specifically. :) IIRC a top executive from a company like Norton, or McAfee, was convicted of giving a major pirate group a lot of software in exchange for access to their inner sanctum of pirated goods. Apparently there

Re:

[sg_oneill]

Depends on who they are aligned with. If its just some slightly malevolent nerds in a bedroom, I would say they have no power of enforcement at all.

If they are tied to some real world organized crime ring then they have significant enforcement power.

If you are buying data from a broker, and theres a hells angel sitting in the room with him, you know damn well, that biker can insist on any damn TOS he wants.

Though I'm more inclined to think that any buyer with $7mil spare to spend on corporate espionage is m

Re:

[PCM2]

Stolen data has a terms of sale they expect to be honored?? In what universe do they expect to enforce? Honor among thieves?

If I've got a CD and I ask you to pay $14 for it, you'd be pretty dumb to think I didn't have a few more to sell.

On the other hand, if I have some kind of unique IP that I want to sell for millions, I'd be the dumb one if I didn't expect you to want an exclusive.

Remember, also, that the customer is the kind of person who knows how to reach/talk to hacker groups, which means there's a good chance they can find out where you live, and they clearly have a lot of money and not an excess of fear of the law.

Maybe $1?

[SuperKendall]

Given the state of the source code, I'm thinking the purchase price was about $1...

Maybe CDPR should offer to pay the people that bought it if they can submit a pull request that fixes a substantial number of bugs?

Re:

[boy1dr]

CDPR is probably the buyer, maybe it was cheaper than paying the ransom

Re:

[SuperKendall]

CDPR is probably the buyer, maybe it was cheaper than paying the ransom

That's a pretty amusing thought, to buy your own source code though a shell company as it's cheaper than a ransom!

Re: Maybe $1?

[e3m4n]

Funny. I got the ps4 ver for xmas. Havent even installed it. Was hoping to have a ps5 by now but thats not looking too promising either. They did push patch 1. Maybe by patch 3 I can install it ;-)

Re:

[Megane]

I'm waiting for the part where the hackers have to give a refund because the code is so broken.

Re:

[thegarbz]

Given the state of the source code, I'm thinking the purchase price was about $1...

Of which source code? The Red Engine itself is quite a marvel regardless of what buggy shit was bolted on top of it.

What's the value?

[Arthur, KBE]

So someone is going to make a game with this? By the time it [if] ever comes to market, CD Project is going to be on the next or subsequent engine anyway --

I don't think Carmack was ever any worse for the wear after releasing the Quake engine when Quake II came to market, etc.

Re:

[alvinrod]

No one could use it since trying to release a commercial product using their engine would get the company sued in oblivion. Maybe some Chinese company that doesn't give a fuck about selling it outside of China would do it, but no existing studio would touch it. The only other reason I can think of for someone to buy it is to try to see if there's a way to backdoor some kind of malware into the game so that it spies on you or mines crypto currencies on the GPU while the game is running.

Re:

[rtb61]

You break up the code into it's significant algorithm blocks and use those in other products. It's is not the entire code but it's elements, and how much they cost to produce and they can readily be reused. Likely coders who CD Projekt Red outsourced to but did not pay enough.

It is kind of like a bank having trouble handling it's cash and just putting that keeping of that cash to open tender, anyone who wants to handle millions of dollars and they take the cheapest tender to look after the money and they ar

Re:

[sg_oneill]

Code wise, whats the point of that? You can license something like UE4 or Cryengine for a song, and its probably going to be significantly better code anyway.

All the game-specific scripting is cruft, in the scheme of things.

Re:

[cusco]

I think your second paragraph just described most Bitcoin exchanges.

3rd party patches can be sold

[Canberra1]

The whole idea of selling a product is not needed. Just sell patches to fix the defective parts. And like a virus scanner you can the code for sequences so patches can be worked into different offsets in different versions. There is precedent. Someone created a few MS OS patches before MS did. If you have the source code, you should be able to create a signature checksum much easier. As for rendering engines, all the tricks have already been used, which is basically not rendering bits that cant be seen. T

Re:

[PCM2]

Who knows? Saudi Prince's son says he wants to program videogames, dad gets him some cool source code for his birthday....

Re: What's the value?

[Armonk]

actually I think no existing studio would touch it even if they could do so legally. The so called 'red engine' took 8 years and its disappointing. even the engine that powers gta 3 is more impressive.

Re:

[Anonymous Coward]

It's actually even more complex than that. After the Half-Life 2 source code was leaked there was a legitimate warning that no devs under any circumstance should look at it.

The reason being that if you wrote an algorithm in a game as a professional developer and subsequently someone working alongside you left and went to work for Valve and said "Hey, I saw this algorithm used at my last employer" then this opens the door for legal discovery against your former employer, and potentially you as an individual.

Who would pay?

[Dixie_Flatline]

First of all, who has the money to pay for it?

Second, while I'm sure they do perfectly good work at CD Projekt, I have a hard time believing that they're doing anything groundbreaking. As a game dev myself, we do some interesting work, but very little that I think stands alone, out of the context of our engines. We're not Epic, which would be a totally different ball game.

Third, what do you do with the source once you have it? I suppose it might make it slightly easier to pirate their game, but not so much

Re:

[Arthur, KBE]

If the source code is so valuable, why doesn't someone just pirate Linux? It's running, what, 70%+ of all "computers" in the world?

It's GPL, you say. OK. So it's protected by copyright. So is 2077, and even under a *more* restrictive license -- namely, they haven't said anybody has any right to do anything with this, whatsoever.

So yeah, I agree, I don't see value, esp. $7M, in this. If the $7M purchase is actually true, It's probably from a person or group that is sitting on a ton of Bitcoin they

Yeah hackers may be lying :)

[raymorris]

"I agree, I don't see value, esp. $7M, in this. If the $7M purchase is actually true"

If it's true is a good point. A couple things used to start working toward attribution for various roles is "who would want to do this, and would want it badly enough to spend these resources? So we have to ask "who would be willing to spend $7 million to get the source code of a game?" That's got to be a very short list of people, close to zero.

If you're developing a game, which you can then sell at full price, sure you

Re:

[UnknownSoldier]

> why doesn't someone just pirate Linux?

How do you pirate something that is Free as in Speech and Free as in Beer??

Re:

[dromgodis]

Replace the licence comments from the source code and re-release it?

Re:

[aardvarkjoe]

Perhaps they could be looking for exploitable security vulnerabilities that they could use to target players of the game? Seems like a pretty steep price for that, though; it's hard to imagine that security was a particularly high priority in development of this game.

We don't know how much money actually changed hands; if it was only a few tens of thousands there's probably a fair number of potential buyers who could find it worthwhile.

For that matter, the hackers could be completely full of shit and nobod

Re:

[jezwel]

You are completely missing the group of people that will pay for objects illegally gained simply so they have them. Whether they do anything with the object is completely irrelevant - for all we know a Blue-ray with the code burnt to it will be lit up in a display cabinet somewhere, next to some moon dust and T-Rex bones.

Re:

[Dixie_Flatline]

This is honestly the most likely reason in my mind. You'd have to be a rich collector, but even then, how do you display this? What do you do with it? Print it out and mount it? Put it on a diamond studded USB key and carry it around with you?

Re: Who would pay?

[Armonk]

exactly if anything, cyberpunk has shown the cdpr red engine to be subpar

Re:

[AmiMoJo]

Maybe they can sell a knock off version somewhere that doesn't care too much about foreign copyrights, like Russia.

It does seem very odd.

The Limited All-In Deluxe Edition from CD Project

[ffkom]

Ok, so the All-In Deluxe Edition sale was limited to one exemplar. Those marketing ploys selling N different editions of the same game at exponentially increasing outrageous prices have gone too far!

Not the worst idea, though, to make the sale look so "cyber-crime"-themed, a perfect fit for the games.

CD Projekt Red probably purchased it

[dicobalt]

Either that or a crypto criminal who wants to spread their malware to high performance gaming PCs.

Patch?

[Pascoea]

Does this mean the game will finally get patched?

Re:

[n0nsensical]

The "Patch the Game" minigame: if you want to keep playing, you'll have to patch out the crashy parts! How meta

I don't get it

[OrangeTide]

How will the buyer recoup costs when starting from a stolen code base? Publish a bunch of Android games because Google's policies are so lax? Why even bother when a smaller 3D engine would run better and cost less?

Re:

[n0nsensical]

I'll bet payment was in the form of someone else's ill gotten crypto gains, where like with Mafia money the hard part isn't getting the money, it's spending it without getting caught

Improved version

[manu0601]

This source leak will lead to a improved version, with less bug and more malwares.

Not really plausible

[gweihir]

I mean, what use is that code? You cannot use it in your own projects, because if it ever comes out you will get sued into the ground. This could come out from anybody that knows or from analyzing code.

Re:

[SirSlud]

A million dollars really isn't all that much. I doubt it was acquired to be useful for anything.

Re:

[gweihir]

Probably, yes.

Hallelujah!

[Randseed]

Maybe now third parties can fix the damned thing.

Purchased by: CD Projekt Red?

[sven_eee]

I would not be surprised if purchased by CD Projekt Red them self,
This way they can claim to not pay ransoms, and also stop the data from leaking out.

Re:

[LenKagetsu]

You know that sending a file to someone doesn't delete the data, right?

Re:Purchased by: CD Projekt Red?

[thegarbz]

You know that sending a file to someone doesn't delete the data, right?

I assume you're an American banker / CEO, but these are criminals we are talking about. They actually believe in acting ethically.