VX Underground, which tracks ransomware and other malware attacks, noted on Wednesday that the ransomed source code had been posted on a dark Web forum known as EXPLOIT. The starting bid was reportedly $1 million, with a $500,000 bidding increment and $7 million "buy it now" price.
Cyber intelligence firm KELA confirmed the authenticity of that auction, telling The Verge that forum users needed to put up 0.1 BTC (roughly $4,700 as of this writing) to participate in the bidding as a sign that offers were legitimate. The sellers also reportedly provided file listings for Gwent and the Red Engine that underlies CDPR's games as proof that the data was authentic.
While the auction was originally intended to run for 48 hours, by Thursday morning KELA and VX Underground were both reporting that it had been closed successfully. "An offer was received outside the forum that satisfied us," the sellers wrote, according to the reports.
[Update: At least one analyst sees reason to doubt the seller's report of a separate buyer swooping in from outside the auction. "There is another possible scenario that we think is more likely: no buyer exists and the closure of the auction is simply a means for the criminals to save face after failing to monetize the attack following CD Projekt’s refusal to pay the ransom," Emsisoft Threat Analyst Brett Callow wrote in a blog post. "We have seen this behavior in the past with REvil, a ransomware group that threatened to release damaging information about Donald Trump. Although the hacked law firm refused to pay to prevent the leak, the information was never published—the attackers just claimed to have sold it."]