Nitrogen ransomware group has breached Foxconn's North American factories, stealing 8TB and 11 million files allegedly tied to Apple,

Continue reading
In the early hours of May 11, 2026, a name appeared on a dark-web extortion portal that sent shockwaves through the global technology supply chain: Foxconn — the Taiwan-headquartered giant that quietly assembles the world's most coveted consumer electronics. The Nitrogen ransomware operation had just publicly listed it as a victim, claiming to have walked off with 8 terabytes of data and more than 11 million files. Two days later, Foxconn confirmed it. This is what the facts tell us.
| Metric | Figure |
|---|---|
| Data claimed stolen | 8 TB |
| Files exfiltrated | 11 million+ |
| Foxconn 2025 revenue | $258.3 billion |
| Global employees | 900,000+ |
| Global campuses | 240 across 24 countries |
| Fortune Global 500 rank | #28 |
Nitrogen is not a household name — yet. Active since 2023, the group is believed to operate on leaked source code derived from the notorious Conti 2 builder, placing it in a lineage of some of the most destructive ransomware crews in history. Security researchers also suspect ties to the ALPHV/BlackCat ransomware ecosystem, whose infrastructure was seized by US authorities in late 2023 but whose affiliates scattered and regrouped under new banners.
Nitrogen employs a classic double-extortion playbook: encrypt the victim's systems and simultaneously exfiltrate sensitive data, then threaten to publish it publicly if a ransom is not paid. Its targeted sectors include construction, financial services, manufacturing, and technology — Foxconn fitting squarely in that crosshair.
May 9, 2026 Wi-Fi disruptions begin at Foxconn's Mount Pleasant, Wisconsin facility. Employees report network outages and are sent home. Computers go offline, forcing workers to resort to pen and paper for operational tasks.
May 10, 2026 Foxconn acknowledges to DysruptionHub that it is experiencing "technical issues" and has activated emergency response mechanisms — stopping short of using the word cyberattack.
May 11, 2026 Nitrogen posts Foxconn on its dark-web leak site, claiming 8TB of stolen data including files purportedly tied to Apple, Intel, Google, Dell, Nvidia, and AMD.
May 12, 2026 Foxconn officially confirms the cyberattack in a public statement: "Some of Foxconn's factories in North America suffered a cyberattack. The cybersecurity team immediately activated the response mechanism and implemented multiple operational measures to ensure the continuity of production and delivery."
May 14, 2026 Affected factories are reported to be resuming normal production. Foxconn has not confirmed whether customer data was actually stolen or whether a ransom demand was issued or received.
Nitrogen's claim is sweeping: 11 million files totalling 8TB, allegedly including confidential hardware schematics, circuit board layouts, integrated circuit documentation, internal project briefs, temperature sensor records, and financial files from the Houston, Texas facility. The group also posted sample files on its dark-web portal as purported proof of access.
The tech companies whose projects are allegedly implicated: Apple, Nvidia, Intel, Google, Dell, and AMD.
> However, Foxconn's Mount Pleasant facility primarily manufactures televisions and data servers — not iPhones, iPads, or other Apple consumer devices. Analysis of the available sample files suggests no Apple circuit diagrams, product development documents, or quality control data are present among them.
This is a critical distinction. Foxconn assembles Apple's flagship products at entirely separate facilities, predominantly in China and increasingly in India. The Wisconsin plant's product mix makes the Apple-related theft claim the weakest element of Nitrogen's narrative — most likely an inflation tactic designed to maximise media pressure and extortion leverage on Foxconn.
Reports point to two confirmed disrupted sites: the Mount Pleasant, Wisconsin manufacturing complex — a facility with a troubled history since its 2017 groundbreaking — and the Houston, Texas operational site. Foxconn also maintains manufacturing presence in Ohio, Virginia, Indiana, and multiple locations across Mexico, though none of these have been publicly linked to this specific incident.
Foxconn has been struck by ransomware gangs at least four times in six years:
December 2020 — DoppelPaymer The CTBG MX facility in Ciudad Juárez, Mexico was hit. Attackers demanded 1,804 Bitcoin (approximately $34.6 million at the time), encrypted up to 1,400 servers, and destroyed an estimated 20 to 30TB of backup data.
May 2022 — LockBit LockBit struck a Foxconn production plant in Tijuana, Mexico, disrupting manufacturing operations.
January 2024 — LockBit LockBit attacked Foxsemicon Integrated Technology — a semiconductor equipment subsidiary within the Foxconn Technology Group — with defacements and data breach claims.
May 2026 — Nitrogen Nitrogen breaches North American factories in Wisconsin and Texas — the most geographically significant attack yet, striking US soil directly and implicating the supply chains of multiple Fortune 500 technology companies.
The pattern is not coincidental. As the world's largest contract electronics manufacturer, Foxconn's network contains proprietary data from virtually every major technology company on earth. For ransomware gangs, breaching a single supplier is the functional equivalent of breaching dozens of technology brands simultaneously. The extortion leverage is multiplied accordingly.
Furthermore, the sheer scale and geographic spread of Foxconn's operations creates a vast attack surface. Hundreds of facilities, millions of endpoints, and deep supply chain integrations with thousands of component vendors — each integration a potential entry vector. For a sophisticated threat actor, a company of Foxconn's footprint is not a hardened target. It is a persistent, high-value opportunity.
This incident arrives at a particularly sensitive moment. US-China trade tensions and tariff regimes have already pushed technology companies to diversify manufacturing away from mainland China. Foxconn's North American investments — including the Wisconsin plant — were partly strategic responses to this geopolitical pressure. A major ransomware disruption at those very diversification sites underscores a sobering reality: relocating manufacturing geography does not automatically export better cybersecurity posture.
If Nitrogen follows through on publishing the stolen data, the downstream consequences could include exposure of unreleased product roadmaps, component sourcing strategies, pricing structures, and proprietary engineering documentation — giving competitors and state-sponsored actors alike a detailed window into the inner workings of Silicon Valley's most closely guarded projects.
Foxconn has confirmed the attack but has declined to answer several critical questions:
The silence on customer data confirmation is, by itself, telling. Companies that can definitively rule out data theft almost invariably say so immediately. The absence of that denial is the clearest signal available that the investigation remains open — and the worst-case scenario has not yet been ruled out.

DHS confirms a breach of its HSIN intelligence-sharing network during World Cup security operations; a senator warns of national security risk