CD Projekt Red blackmailed with Cyberpunk 2077 files

Witcher developer CD Projekt Red have been threatened by an unknown person with the release of design documents about their upcoming RPG, Cyberpunk 2077, unless a ransom is met, the company have said. We don’t know the exact number behind that ransom but CD Projekt have rejected them anyway, and have asked people to “avoid any information” not coming from them directly.

“The documents are old and largely unrepresentative of the current vision for the game,” they said. “When the time is right, you will hear about Cyberpunk 2077 from us – officially.”

You can see the full statement about the threat in this tweet. The blackmailer is described as an “unidentified individual or individuals” who’ve got their hands on some files from the developer, including some “connected to early designs of the upcoming game, Cyberpunk 2077.”

“We will not be giving in to the demands of the individual or individuals that have contacted us, which might eventually lead to the files being published online. The appropriate legal authorities will be informed about the situation.”

It’s unclear how the files came into the blackmailer(s) hands, whether through hacking, an internal leak or some other way. We’ve been in touch with CD Projekt to poke for some more information but have been told: “The tweet is all we have to say.” An understandable response if the lawmen are due to get involved.

If you are DYING to know what might be coming up for Cyberpunk 2077, remember that it is E3 next week. Plus, you can always look at what the 1980s pen and paper RPG of the same franchise suggests. They’ve also boasted it is “bigger than anything” they’ve previously done and have reportedly been researching seamless multiplayer. In the meantime, we’ll let you know more about the blackmail if we learn anything juicy.


  1. Premium User Badge

    subdog says:

    The idea of hackers ransoming a company for its stolen files is pretty dang cyberpunk.

    CDPR should send some chromed up street samurais after them.

    • tbs says:

      The internet has ruined me: this seems like a marketing stunt. It might end up being a good stunt. But all the same, I can’t not see it that way.

      • Bforceny says:

        It’s becoming common: hospitals were hit a couple of weeks ago, a post production company working for Netflix got hit as well (with the ransomer publicly tweeting his demands). I don’t think this is a marketing stunt: I think this is just the fact that while some hackers are very good at penetrating systems, once they’re in they have no idea of what is valuable to a company. It should be obvious that a design documents leak is not a problem for a company (we call it advertising), but to these guys it’s not. I feel bad for them, it’s like the guy who can hotwire cars, but can’t drive and has no idea wether a particular car is expensive or desirable…

        • tbs says:

          You’re probably right. And to your point its not exactly damaging material. I suspect they’re like that guy in the movie Hackers and they just download garbage files looking for a golden worm.

        • sandineyes says:

          Concerning those hospitals, aren’t you talking about ransomware? While inconvenient for CD Projekt Red, it doesn’t sound like this theft is actually hindering their ability to work on the game. By contrast, ransomware, in the worst case, prevents you from accessing data, which is a much stronger incentive to pay up.

          • MajorLag says:

            Actually in the worst case you lose all your data because A) you paid and they didn’t decrypt anything, or B) you didn’t pay and tried to restore from backup only to discover your backups weren’t working or you lost the encryption key, and since you deleted the encrypted files off your systems you now have nothing.

            Neither of these situations are theoretical.

        • April March says:

          That carjacker metaphor is so brilliantly spot-on I kind of want to write a series based on it.

      • Duckeenie says:

        I wouldn’t put it past CDP, but looking at it objectively, it’s difficult to see what they have to gain if they’re going to be present at E3 next week.

      • Repojam says:

        Cyberpunk style stuff happening to them? I want to hope this is marketing.

      • tomimt says:

        I can see CDR pulling a stunt like this really. They did do a less than stellar stunt with GOG as well ages back when they announced the closure of the site just to pop it up again and called it a closure of beta phase or something like that.

    • eeguest says:


  2. Unclepauly says:

    Wow, the balls on some people. They really think this crap is going to work out? This type of blackmail is so hard to make work. Especially when even if the documents were hurtful, no dev could execute the designs as good as CDPR anyway! lol It’s like giving away the design for Witcher 3 to EA, they’d still make a game that ends up like Dragon Age hahah

    • Excors says:

      The problem isn’t really that other developers will copy their ideas. The problem is that the uncontrolled release of information about the game will mess up CDPR’s PR strategy. Their PR strategy is designed to maximise sales, so messing it up is expected to reduce sales. Even if this leads to extra publicity right now, it’s not very useful publicity since nobody can buy the game right now, and it might harm their ability to build up hype in the vital period just before the game’s release.

      Reducing sales means there is a substantial (albeit hard to quantify) financial cost. If the expected cost is much greater than what the blackmailer is asking for, it might seem sensible to pay the blackmailer, so it’s not necessarily a straightforward decision. (Of course if you do pay them, they’ll be encouraged to try the same against other companies, and other blackmailers will be encouraged to try the same against you, so it only makes sense from a selfish and short-term perspective. CDPR is doing the right thing by refusing to play along.)

      • April March says:

        Take it from someone who studied marketing: if there’s one thing it’s impossible to put a price on, it’s the value of marketing. We know that if you don’t advertise a product at all you probably won’t sell as much as if you did (probably!!!) but beyond that, how it should be advertised, to whom, how often, etc., that all lies somewhere between educated guesses and oral tradition.

        My point is, blackmailing a company by threatening to disrupt their marketing strategy is like blackmailing NASA my threatening to fire a pebble at a Jupiter-bound probe. It’s not that it won’t affect them at all, it’s just that the effect is so much more likely to be none than to be something irrecoverable that to refuse the backmail and roll with the effects will always be the correct decision. Of course, for the marketing metaphor to work, NASA had to send probes without math, just by trying to fire them more or less the way a previous succesful probe went…

  3. Dorga says:

    I actually believe it would be much better if you avoided covering the leaks, since that would just play in the thieves’ hand. I know any information regarding this game is bound to generate a lot of buzz, but I think ignoring the leak would set a really nice precedent.

    • Valkyr says:

      Exactly. I shook my head when I read “we’ll let you know more about the blackmail if we learn anything juicy.” It’s exactly what the blackmailers want in order to pile up more pressure on the victims. That kind of decision is totally irresponsible.

      • Archonsod says:

        Pressure how exactly? They’re going to release some early design documents for a forthcoming game if they don’t get paid. I’m sure CDProjekt are quaking in their boots – usually they’d have to pay someone in marketing to get them to release that kind of information…

    • Brendan Caldwell says:

      Hi there. As the article states, CD Projekt have already decided not to concede to the demands of the ransomer(s), so any “added pressure” is no longer an issue. If you think it is irresponsible of us to write news about a newsworthy event, do you also think it irresponsible of CD Projekt to make a public announcement bringing attention to it? Presumably, their intention was to have the media boost their message of asking people not to view anything that does not come directly from them. Your concerns are well-intentioned and I understand the desire not to help the hackers/leakers/whoever, but that desire to not talk about it openly also reflects a kind of “oxygen of publicity” fallacy that usually gets cited to help those in powerful positions to silence an otherwise important or newsworthy event. In any case, this is something that CD Projekt brought to the public and media’s attention themselves. I hope that clears up our thinking about the post.

      • Valkyr says:

        Wasn’t CDProjekt’s intention, rather than to make a public announcement of the situation, to make people aware of their situation and to appeal to their customers’ good will in not giving in to the blackmailers’ scheme? Which is why they didn’t answer your poke as well?

        You make a good point, but publishing or not publishing is not as absolute a question as would a rhetoric (logical) fallacy be. By reducing this decision to a fallacy, you basically strip it away from the complexity arising from situation, context, quantity, etc. I have to admit my reaction was mainly due to your word “juicy” which appeals to stories generating revenue on the back of scandal-ridden victims. I then understood RPS to have money-making intentions, prioritized over a dignified and thoughtful stance.

        I actually don’t want to silence you on the matter, but to direct your publishing strategy over something less juicy, or just something less; such a behaviour would help the victims.

      • Twitchity says:

        I would say, from a journalistic standpoint, that news *about* the leaked documents are newsworthy, but the *contents* aren’t, unless they point to something unusual about CDPR’s practices. In a time when the cyberpunkish concept of “info-terrorism” — from the arguably high-news-value theft of controversial government documents, through the grey area of stolen email archives, to the zero-news-value nonconsensual release of nude photos — has become a reality, we should balance actual newsworthiness of information against the damage inflicted by unlawful theft and exposure of it.

      • Excors says:

        Regarding pressure: It might not make much difference to CDPR now, but what about the next time a different company gets blackmailed?

        Possible scenario #1: “If we refuse to pay, they’ll release our private files, but all the reputable gaming news sites will coordinate to boycott it and will refuse to spread any illegitimately-acquired information, and won’t even alert their readers that there is anything to search less-reputable parts of the web for, just like they did with Cyberpunk 2077. Some people will still spread the information on Twitter or whatever, but most potential customers will never see it there, so it will cause limited damage to us. Therefore we don’t need to pay the ransom.”

        Possible scenario #2: “If we refuse to pay, they’ll release our private files, and all the reputable gaming news sites will blab all the juicy details to their readers in multiple prominent articles, and those articles will show up highly in search results for our game forever, just like with Cyberpunk 2077. Lots of our potential customers will see that, so it will cause significant damage to our marketing plans, and maybe we should pay the ransom to avoid that.”

        Maybe #1 is a bit unrealistic (I guess it’s hard to get that level of coordination and agreement between sites that all want to compete for eyeballs) but it seems a worthwhile goal to work towards.

        • Stellar Duck says:

          News sites are not, and this may get close to ethics, put in this world to protect companies profits.

          I’d find it quite problematic if there was an agreement not to publish stuff like this.

          • poliovaccine says:

            Agreed – there’s no degree of collusion or abetting in reporting on the story, but there absolutely would be if there were an agreement not to cover the story out of a perceived benefit to CDPR. This site’s agenda is to report on gaming news, and anyway I’d think keeping the issue quiet would actually be more useful to the blackmailers than anything – which is likely why CDPR broke the news themselves.

            Even if it’s “only” gaming news, journalists have an obligation against playing favorites like that… and anyway, calling that “playing favorites” is taking for granted that stifling this story would be somehow good for CDPR, which I see as a flawed assumption in the first place.

          • Valkyr says:

            I entirely agree with you, but this argument is not relevant to the situation at hand.

            Deciding whether, or what or how etc., to (further) publish in this situation would not be motivated by the aim of protecting any company’s profits, even if the latter might be a collateral consequence. It would be motivated by the aim of not helping, not giving more power to, and ultimately not being manipulated by authors of a morally despicable (and maybe legally criminal?) act. Whether a company’s profits would be protected or damaged is not a factor in this decision-making.

            I don’t know if my ethical reasoning is clear, but at least I tried.

            If it makes it clearer: I don’t care if a company is damaged. I care if blackmailers are helped. Especially when the leak is not about any wrongdoing from a company, only information about their honest work.

      • Merry says:

        I completely agree with Valkyr. Phrases such as “we’ll let you know more about the blackmail if we learn anything juicy” is unprofessional and at complete odds with your wall of stern text telling us off for even thinking about questioning you

        I expect more of RPS, or perhaps more of you, Brendan. You made the wrong choice here

      • Dorga says:

        I don’t know Brendy, we’re not talking about whistle blowers leaking info that they believe will benefit the public here, this are just blackmailers trying to hurt a company, nobody is set to gain anything here but them. It’s not like they are uncovering some shady practices by CDP or doing any service to the community.
        I believe this will just fuel wild speculations and the hype machine that is so often cause for future grief and abuse, see No Man’s Sky or a million other instances. Many times, and rightly so, we talk about making the industry more matur, taking it beyond the constant grind for attention and sensation, the preorder exclusives and the pre-release season passes. In today’s podcast you say that as a communinity we’re always dying for the next big thing, without appreciating enough what’s ready there; these seems like a good opportunity to try and take a different path.

      • dontnormally says:

        I, for one, will absolutely be looking at the leaked materials, pinch of salt in hand, without a measure of shame or presumption.

    • hfm says:

      I was looking at the comments to say the EXACT same thing. ” In the meantime, we’ll let you know more about the blackmail if we learn anything juicy.” ..

      No. Don’t signal boost these asshats.

  4. Don Reba says:

    [CD Projekt] asked people to “avoid any information” not coming from them directly.

    That sure sounds like a cyberpunk dystopia.

  5. Premium User Badge

    Drib says:

    As much as the cyber-espionage fits in with the gameworld, it’s still pretty crap to see people doing this.

    Good on CDPR for not bothering with it. Yeah, call them out, say you’re not paying, and call the cops. That’s the way to do it. Maybe the noise the idiot makes by publishing stuff will just promote the game anyway.

    I approve all around, I have to say. Other than the guy blackmailing them, but you know.

    • poliovaccine says:

      Well yeah, I would be severely disappointed to see them incentivize this behavior by copping to the demands – especially since a major victory for the blackmailers like that would only incite and embolden other such entities to say, “Ho damn, that crazy shit actually worked!”

      Basically, every bit as much as I’m actively proud of their response, I’d be actively dismayed if they’d done anything different. That’s not a precedent we want to see set, in this or any industry.

  6. Jeremy says:

    They played that well by undermining the quality of the leaked data before it was leaked. Some people will look at it and possibly speculate, but games change so often that pre-pre-release info is as good as no info.

    • Don Reba says:

      STALKER is a great example for how to handle leaks. It had a lot of leaks prior to the release and after, including whole builds. The policy towards them was that it wasn’t allowed to advertise them on official forums, but no one ever got punished for it. Eventually, GSC officially put a complete early build in the open, so modders could have a field day with it.

      • Sly-Lupin says:

        I don’t think this is a stunt per se, but it is definitely some VERY good PR work. CDPR is one of the few developers out there that seems to realize that making a show of respecting your consumers produces enormous dividends.

  7. CAMN says:

    Another case of bad things happening to good people. Why not go after Konami? No one would be pissed about hackers messing up with them.

    • horrorgasm says:

      What could you release that would embarrass Konami at this point though? They don’t have any shame left.

  8. ColonelFlanders says:

    Good lads. Don’t give in to these fuckers. I don’t need to see what shit they’ve got from you or what they present, they are fucking morons and I trust your pedigree enough to know that I’m probably gonna like what you make.

  9. RichUncleSkeleton says:

    Design documents? Oh no! Maybe they’ll threaten to release some concept art next.

    • teije says:

      Exactly. Who cares. This is the kind of stuff that gets produced by the reams early in a project and gathers dust afterwards. I’ve written my share of software design docs over the years and the early ones often bear little resemblance to the released product.

  10. Seafoam says:

    Heh, it’s the same thing with top secret recipes.
    If I were to steal Coca Cola’s recipe, and then publish it to the world, Coca Cola company could just deny it and that would be that.

    People would still buy Coca Cola, and even if the leaked recipe would taste the same no-one could know for certain that it’s the same stuff as Coca Cola.
    Same rule applies here. Even if the files would be the most recent ones, the developers could just deny and say they are old designs and no-one could ever know.

  11. Don Reba says:

    I’m glad CD Projekt refused the hackers’ demands, and I also hope the information does get published. ?

  12. karnak says:

    Or it could juste be some sort of bizarre “hacking/cyberspace” marketing strategy in order to start generating hype for the game.

  13. zulnam says:

    I’ve never asked for this.

  14. Furiant says:

    Most developers can’t even deliver what they officially promise. It’s not like this is going to spoil any surprises; the game is bound to be mostly derivative anyway.

    Let the bottom-feeders release the docs; in the end it will have cost them more than they made, and the internet will side with the company. Just a dumb idea all around.

  15. Sin Vega says:

    Good for them. I hope they told these idiots to shove their ransom up their arse.

    • April March says:

      I hope they told them to shove their cyber-ransom up their Megapoop ArtseHole 2050™.

  16. Dudeist says:

    They should copyright files, like a cyberpunk word. Problem solved.

  17. racccoon says:

    What a douche bag the blackmailer is..he/she should of just released them freely now he/she is just a dumb ass blackmailer..

  18. Czrly says:

    “multiplayer”! Oh Horrors. Oh please let it NOT be multiplayer… or worse, an MMORPG.

    Honestly, I can’t think of anything I want LESS of than a rich open world done right (as only CDPR seem able to do) spoiled by a bunch of random internet idiots.

    (No. I don’t have any friends. And, if I did, we’d be playing games like Quake 3 and Starcraft, in the same garage, with beer and pizza and pranks.)

  19. jp says:

    Perfect chance to spread malware among “design documents” to all the curious Cyberpunk fans too.

    • Sandro says:

      Do you really think that the people is so stupid that they would download a file uploaded by a cybercriminal?