VX Underground, which tracks ransomware and other malware attacks, noted on Wednesday that the ransomed source code had been posted on a dark Web forum known as EXPLOIT. The starting bid was reportedly $1 million, with a $500,000 bidding increment and $7 million "buy it now" price.

Cyber intelligence firm KELA confirmed the authenticity of that auction, telling The Verge that forum users needed to put up 0.1 BTC (roughly $4,700 as of this writing) to participate in the bidding as a sign that offers were legitimate. The sellers also reportedly provided file listings for Gwent and the Red Engine that underlies CDPR's games as proof that the data was authentic.

While the auction was originally intended to run for 48 hours, by Thursday morning KELA and VX Underground were both reporting that it had been closed successfully. "An offer was received outside the forum that satisfied us," the sellers wrote, according to the reports.

[Update: At least one analyst sees reason to doubt the seller's report of a separate buyer swooping in from outside the auction. "There is another possible scenario that we think is more likely: no buyer exists and the closure of the auction is simply a means for the criminals to save face after failing to monetize the attack following CD Projekt’s refusal to pay the ransom," Emsisoft Threat Analyst Brett Callow wrote in a blog post. "We have seen this behavior in the past with REvil, a ransomware group that threatened to release damaging information about Donald Trump. Although the hacked law firm refused to pay to prevent the leak, the information was never published—the attackers just claimed to have sold it."]

KELA threat intelligence analyst Victoria Kivilevich told IGN that the stolen data was sold in a single package. The sellers also reportedly threatened on separate dark Web forums that CDPR will now have "a lot of interest [sic] things on their accounts alive [sic]" if they didn't close the auction by paying the ransom.

CDPR said on Monday that documents "relating to accounting, administration, legal, HR, investors relations, and more" were taken as part of the attack, adding that "we will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data."

Security experts analyzing the ransom note shared by CDPR have identified a hacking group known as HelloKitty as the likely culprit in the ransomware attack. That same group was reportedly behind a ransomware attack on Brazilian power company CEMIG, among others, late last year.

Peter Groucutt, the managing director of IT protection service Databarracks, said this kind of "Double Extortion" ransomware attack (where data is stolen and also locked behind an encryption key) could be a growing threat to businesses with popular intellectual property. "Ransomware originally sought to simply paralyze a business [and] victims with robust backups could refuse to pay the ransom and restore their data from backups," he said. "The difference between this attack and other Double Extortion attacks is the exfiltrated data was highly valuable IP. Even if you don’t pay up, criminals can still make a considerable amount of money by selling the IP. If these attacks prove successful, we may see a shift to targeting those organizations with the most valuable data."

A recent report by cybersecurity analysis firm Coveware found that total ransomware attack payments dipped slightly in the fourth quarter of 2020, after rising steadily for years prior, as more companies refuse to pay. An increasing number of those attacks now include threats to leak data online, Coveware found, and hackers often release stolen data even if the desired ransom is paid.