Cyber Incident Victim: GSC Game World

In late March 2023, GSC Game World, the Ukrainian developer of the highly anticipated video game S.T.A.L.K.E.R. 2, experienced a security incident. The compromise was initiated when attackers gained unauthorized access to an employee's account. This breach did not involve the deployment of ransomware or other forms of malware, which is a common tactic in such intrusions. Instead, the attackers exfiltrated several unknown digital assets from the company's systems. The nature and full scope of these stolen assets were not publicly disclosed by the company at the time.

Following the theft, the attackers issued a list of specific demands to GSC Game World. These demands were presented under the explicit threat of blackmail, indicating the stolen materials would be used against the company if compliance was not achieved. The demands were politically and community-focused rather than financial. The first demand required the company to change its mind and rethink its attitude towards players from Belarus and Russia, accompanied by an apology for what the attackers described as an unworthy attitude towards ordinary players from these countries. This demand was contextualized by the studio's recent history, which included relocating most of its employees from Kyiv to Prague in the Czech Republic due to the ongoing Russian invasion of Ukraine. A second demand called for the unbanning of a specific user profile, identified as N.F. Star, from the company's official Discord server. The attacker claimed the ban was unjust and stated it was the reason they had to "stop holding back." The final demand insisted on the return of Russian-language localization for the game, arguing that fans were waiting for it and that the game should not be spoiled for people because of politics.

The company did not immediately release a detailed public statement regarding the March incident, and it remained unclear whether any of the attackers' demands were met. The incident did not initially appear to involve a public data leak of the stolen assets. The situation evolved several months later, on or around May 31, 2023, when development builds of S.T.A.L.K.E.R. 2 surfaced online. These builds were found to be encrypted, and the identity of the individual or group who uploaded them was unknown. The appearance of these files led to speculation within the gaming community, including on platforms like Reddit, about a potential connection to the earlier security breach at GSC Game World.

An analysis of the new leak indicated significant differences from the March incident, suggesting it could be an entirely separate security event. The May leak of development builds was not accompanied by any public threats, demands, or discussions on Russian social media platforms by parties claiming responsibility. This absence of communication or coercion attempts contrasted sharply with the previous extortion attempt. One theory posed by the online community was that the development builds might have been leaked accidentally or mistakenly by the studio itself during its internal processes, rather than through a malicious external hack. GSC Game World did not issue any public statements or confirmations regarding the source of the May leak or whether it was indeed connected to the March account compromise. The full impact of the development build leak on the studio's operations or the game's intellectual property was not detailed publicly. The primary consequence was the unauthorized availability of pre-release game code online, which posed a risk to the integrity of the development process and potential spoilers for the community. The studio's response, including any internal investigation or containment measures taken following either incident, was not publicly documented in the available information.