· 2 min readsecuritygaming

CD Projekt Red Hit by Ransomware, Attackers Claim to Have Source Code

CD Projekt Red says it was hit by ransomware; attackers claim to have stolen source for Cyberpunk 2077, The Witcher 3, and Gwent.

CD Projekt Red just confirmed something that a lot of studios dread more than a bad launch: it’s been hit by ransomware, and whoever did it isn’t just asking for a payout to unlock files. According to the studio’s own disclosure, attackers left a ransom note claiming they’d exfiltrated source code for Cyberpunk 2077, The Witcher 3, and Gwent, along with internal documents covering finance, HR, and legal matters.

This is a different flavor of ransomware than the classic “your files are encrypted, pay us to get them back” model. The double-extortion approach — encrypt what you can, but also steal a copy first — has become increasingly common because it gives attackers leverage even against victims who have solid backups. You don’t need to cripple the target’s operations if you can threaten to dump their crown jewels publicly instead.

And source code is about as close to crown jewels as it gets for a game studio. If the claims are accurate, we’re talking about the codebase for one of the most anticipated (and, after launch, most scrutinized) games of the last several years, plus the engine and systems work behind an entire beloved RPG trilogy. That’s not just embarrassing — it’s potentially useful to competitors, modders operating without permission, or anyone looking to find exploitable bugs before the studio patches them.

CD Projekt Red’s public stance so far is straightforward: they say they won’t pay the ransom, and they plan to restore affected systems from backups. That’s generally the right call from a game-theory perspective — paying doesn’t guarantee deletion of stolen data, and it signals to the broader ransomware ecosystem that this particular target is a soft one worth hitting again. But “we won’t pay” doesn’t make the leak risk disappear if the attackers already have copies sitting somewhere and decide to publish or sell them regardless.

What this means going forward

A few things worth watching. First, whether any of the claimed stolen data actually surfaces publicly — ransom notes sometimes overstate what was actually taken, and until code or documents appear somewhere verifiable, “claimed to have stolen” is doing a lot of work in that sentence. Second, how CD Projekt Red handles investor and player communication from here, since this is a publicly traded company and a breach of this scale carries disclosure obligations beyond just PR optics. Third, whether source code leaking (if it happens) leads to anything practical — private servers, cheat tools, or security researchers finding vulnerabilities that get weaponized before official patches land.

It’s also a reminder that 2021 is shaping up to be a rough year for ransomware generally, and gaming companies — sitting on valuable IP, player payment data, and often less mature security postures than banks or infrastructure operators — are attractive targets. Expect more studios to get hit before this trend cools off, if it cools off at all.

Related posts

Latest on Daily Signal

All posts →