CD Projekt Red HelloKitty ransomware and source-code theft (2021)
HelloKitty ransomware encrypted CD Projekt Red devices and exfiltrated source code for Cyberpunk 2077, The Witcher 3, Gwent, and an unreleased version of The Witcher 3. CDPR refused to pay; the data was auctioned and reportedly sold to a private buyer.
- Victim
- CD Projekt Red
On 9 February 2021, the Polish studio CD Projekt Red β developer of Cyberpunk 2077 and The Witcher 3 β disclosed a ransomware attack by what was later identified as the HelloKitty ransomware family. The note left on encrypted machines claimed the attackers had stolen source code for the studio's biggest games, plus HR and financial documents, and demanded a ransom for non-publication.
What happened
The attackers gained access to CDPR's internal network and encrypted some devices. The ransom note's specific claims β source for Cyberpunk 2077, The Witcher 3, Gwent, and an unreleased Witcher 3 β combined with internal corporate records, made for an unusually high-stakes leak threat for a game-development studio.
CDPR's public response, posted within 24 hours, became a case study in how to refuse a ransom: confirm the facts, decline to pay, and commit to backup restoration. Security researchers, looking at artefacts from the ransom note and encrypted file extensions, identified the malware family as HelloKitty (an unrelated coincidence with the well-known consumer-products brand).
Within weeks, a threat actor using the handle redengine listed the stolen CDPR data for auction on a hacker forum. The auction was later closed with a claim that the data had been sold to a buyer "outside the forum" under non-redistribution terms β though no technical proof of the sale was published, and security researchers remained sceptical.
Impact
- Source code for four major games (released and unreleased) claimed stolen.
- HR and financial records also claimed exfiltrated.
- CDPR refused to pay the ransom.
- Stolen data reportedly auctioned and sold to a private buyer.
- No safety or operational disruption to CDPR's live games beyond the IT-recovery work.
Why it matters
CD Projekt Red set an early high-profile example of how to refuse a game-studio ransom without losing the company: confirm the breach publicly within a day, name the asset categories at risk, decline to pay, and restore from backups. The case also previewed a now-common pattern β stolen IP gets monetised via underground auctions, regardless of whether the original victim pays.
Timeline
CD Projekt confirms via Twitter that an unidentified actor has gained access to its internal network, encrypted devices, and stolen data. The ransom note claims theft of source code for Cyberpunk 2077, The Witcher 3, Gwent, and an unreleased Witcher 3 build, and threatens to publish HR and financial documents.
CDPR publicly refuses to pay the ransom and confirms it will restore from backups; researchers identify the malware family as HelloKitty.
A threat actor named 'redengine' lists the stolen CDPR data for auction on a hacker forum.
The auction closes; the seller claims the data was sold to a buyer 'outside the forum' under terms requiring the seller to stop distributing it. No technical proof of the sale was published.
Sources
- techcrunch.comhttps://techcrunch.com/2021/02/09/cd-projekt-red-hit-by-ransomware-attack-refuses-to-pay-ransom/
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/cd-projekts-stolen-source-code-allegedly-sold-by-ransomware-gang/
- emsisoft.comhttps://www.emsisoft.com/en/blog/37783/hellokitty-ransomware-group-likely-responsible-for-cd-projekt-attack-heres-why/
- infosecinstitute.comhttps://www.infosecinstitute.com/resources/malware-analysis/hellokitty-the-ransomware-affecting-cd-projekt-red-and-cyberpunk-2077/