Ubisoft’s in-game currency system breached in $13M hacker exploit

Ubisoft, a French video gaming giant, was forced to halt its Rainbow Six Siege live service during the weekend after a security breach occurred on its servers. The breach allowed hackers to distribute $13.33 million in credits to gamers’ accounts. 

According to an update shared on X during the weekend by the Ubisoft Rainbow Six Siege team, gamers’ accounts were flooded with up to 2 billion R6 Credits, which is the game’s premium currency. Following the incident, Ubisoft was forced to shut down all servers and the marketplace, initiating a rollback plan for all the breached transactions. 

Ubisoft pledges not to ban accounts for spending unauthorized credits

According to Ubisoft’s pricing structure, packs of 15,000 R6 Credits retail for $99.99. This means that for a gamer to achieve the 2 billion R6 Credits, they would have to spend roughly $13.33 million.  In addition to the in-game credit issued, the hackers compromised moderation systems that issued random bans and unbans, and manipulated the ban ticker to display custom messages. 

A rollback is currently ongoing and afterwards, extensive quality control tests will be executed to ensure the integrity of accounts and effectiveness of changes. The team is focused on getting players back into the game as quickly as possible. Please know that this matter is… https://t.co/cG4zBIBBGB

— Rainbow Six Siege X (@Rainbow6Game) December 28, 2025

Some gamers shared screenshots on X with fake ban notifications, and altered in-game messaging affecting all accounts across PC, PlayStation, and Xbox. Ubisoft has clarified that no gamers will be banned for spending unauthorized credits, with a targeted rollback of all transactions initiated after 11:00 AM UTC on December 27. The firm further explained that the ban ticker had been disabled, and any messages observed were unauthorized. 

Tom Clancy’s Rainbow Six Siege platform has concluded the rollback and live tests, with a soft launch coming back through tests with a few gamers, while Marketplace remains closed. The rollback process involved extensive quality control testing to verify account integrity, with initial tests completed. Ubisoft also conducted a soft launch for a limited group of gamers, and live test verification had been completed. 

The company has confirmed the reopening of the gaming servers after the conclusion of its live tests, and the game is now open to all gamers. The French publisher, however, cautioned that gamers may experience a queue when connecting as the services are ramping up. 

Rainbow Six Siege security breach linked to MongoBleed

A security research report by Cyber Security News has revealed that the breach at Ubisoft was linked to a MongoBleed vulnerability, which potentially allowed memory leaks and escalation to internal repositories. The French video game publisher has not revealed any information about the nature of the leak so far or data exfiltration.

Gamers who did not log in between December 27th, 10:49 UTC, and December 29th should expect no changes to their inventory. Ubisoft added that for those who did not connect after December 27th, 10:49 UTC, a small percentage may temporarily lose access to some owned items. 

The French video game publisher acknowledged the incident on Saturday and offered to investigate and resolve the matter. The firm clarified that investigations and corrections will continue over the next two weeks. Ubisoft has, however, kept the Marketplace closed until further notice as investigations continue. 

Tom Clancy’s Rainbow Six Siege’s ability to roll back the credits would not have been possible if the game had been built on decentralized technology. Alex Smirnov, co-founder of deBridge, revealed that a rollback in decentralized ecosystems introduces systemic issues that affect bridges, custodians, users, and counterparties who acted honestly during the affected window.

The Rainbow Six Siege franchise, launched in 2015, currently attracts roughly 34,000 gamers daily based on data from Active Player. The game is available for PC, PlayStation 4, Xbox One, PlayStation 5, and Xbox Series X|S.

Get seen where it counts. Advertise in Cryptopolitan Research and reach crypto’s sharpest investors and builders.