The chaos surrounding Ubisoft escalated significantly today as the first group of hackers, previously known for silent exploits, initiated a highly visible and disruptive takeover of Rainbow Six Siege servers.
Players worldwide are reporting a massive influx of in-game currency, unwarranted bans, and taunting messages broadcast directly through the game’s administrative feeds.
Starting early this morning, thousands of Rainbow Six Siege players logged in to find their accounts inexplicably credited with millions in R6 Credits, Renown, and Alpha Packs. Reports indicate that exclusive skins and items, typically locked behind paywalls or legacy events, were unlocked for random users.
The situation quickly escalated when the attackers weaponized the in-game ban feed, usually reserved for anti-cheat notifications. Numerous high-profile accounts, including official Ubisoft administrators and popular streamers, were hit with temporary or permanent bans.
Screenshots circulating on social media confirm the attackers are using the ban system to communicate. One striking image captures a sequence of bots with specific usernames being banned in order, spelling out a cryptic warning: “What else are they hiding from us?”
Another broadcast signaled a temporary pause to the hostilities, with a user named “We stopping this for now, have a nice night everyone at Ubisoft!” being banned for “Toxic Behavior”. This brazen mockery suggests the attackers have high-level administrative control over the game’s live service backend.
Ubisoft has issued an official statement on today’s breach, but servers have intermittently gone offline for unannounced maintenance and restarts. Security experts and community leaders are advising players to avoid logging into Ubisoft Connect or Rainbow Six Siege until the publisher confirms server integrity, citing potential data corruption or further account tampering.
According to vx-underground, the live-service disruption appears to be the work of the First Group, unrelated to the source code theft reported earlier this week. The incident highlights a fractured landscape of threat actors currently targeting the publisher:
| Group | Key Actions/Claims | Confidence/Status | Relations |
|---|---|---|---|
| First | Exploited R6 Siege for bans, inventory mods; gifted $339.96T in-game currency. No user data touched. | High (Ubisoft-confirmed rollback). | Frustrated with Second/Fourth drama. |
| Second | MongoBleed pivot from MongoDB to Git repo; exfiltrated 90s–present source code, SDKs, multiplayer code (~900GB). | Medium-high (multi-source verified). | Accused by Fourth of prior access, masquerading. |
| Third | MongoBleed user data exfil; Telegram extortion with group name. | Low (unverified claims). | Unrelated? |
| Fourth | Denies Second’s novelty; claims long-term Second access, hiding behind First for leak pretext. | Medium (forum activity). | Aligned with First vs. Second. |
While today’s siege is likely due to an API authorization failure, the broader breach involving the Second Group is linked on CVE-2025-14847 (MongoBleed).
This flaw enables attackers to read server memory without authentication by sending malformed compressed packets. If the Second Group’s claims of pivoting to internal Git repositories are true, Ubisoft faces a catastrophic loss of intellectual property that could fuel cheat development for years to come.
Ubisoft is expected to perform a massive rollback of player data to undo the economic damage, a move that will likely frustrate legitimate progress made by players over the weekend.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
