A ransomware group is attempting to extort the electronics manufacturing giant Foxconn, claiming that it stole 8 terabytes of data from the company, including schematics and project details from customers including Dell, Google, Apple, and Nvidia. Foxconn did not immediately respond to WIRED’s request for comment about the validity of the claims, but the company did acknowledge that some of its North American factories “suffered a cyberattack” in recent days, and that “affected factories are currently resuming normal production” after outages.
Foxconn is the type of target that is particularly appealing to ransomware and data extortion actors, because it is a massive company with divisions and subsidiaries around the world that hold not only its own intellectual property but that of its customers. The company is a key manufacturing contractor for electronic components or entire devices, including Apple’s iPhones.
“Ransomware groups are increasingly targeting victims that can impact the supply chain, whether it is physical or software,” says Allan Liska, a threat intelligence analyst at security firm Recorded Future. “So it’s unsurprising that a company like Foxconn would be targeted, since it does manufacturing and holds sensitive data for so many companies around the world.”
The attackers, known as the Nitrogen group, listed Foxconn on its breach site on Monday. Nitrogen, which emerged in 2023, is not the most high-profile or prolific ransomware actor, but it has been steadily active with some spikes, including at the end of 2024. The group, which typically targets victims in North America and Western Europe, also has connections to the notorious ALPHV/BlackCat ransomware group.
“While reports indicate that Nitrogen has been active since 2023, our first observation of their activity was in 2024, targeting Control Panels USA,” says Ian Gray, vice president of intelligence at the security company Flashpoint. “We have observed approximately 50 victims since launching, primarily targeting manufacturing, technology, and retail. Manufacturing is one of the most-targeted sectors for ransomware in general.”
The idea of Foxconn as a prime target is not just conceptual. The company has faced a number of extortion attempts, including a December 2020 attack on a Mexican facility in which the DoppelPaymer ransomware group memorably demanded 1,804 bitcoin (worth roughly $34 million at the time). The LockBit group hit another Foxconn facility in Mexico in May 2022 and disrupted production. Most recently, LockBit attacked a subsidiary called Foxsemicon Integrated Technology in 2024 with defacements and data breach claims.
In addition to attempting to extort victims by threatening to release data stolen in an attack, Nitrogen also often deploys traditional ransomware that encrypts a target’s systems. Researchers say that the group’s ransomware program itself was built off of widely repurposed “Conti 2” code, but it has a problem. Nitrogen’s encrypting mechanism has a design flaw that makes it impossible to decrypt data once it has been encrypted—even if the attackers want to release a victim’s systems. It is unclear if this is a factor in Foxconn’s incident response this week.
Ransomware and data extortion is an inveterate digital security problem, and attackers regularly repeat targets and stoop to new lows in carrying out large-scale disruptive attacks. Just last week, thousands of schools around the US were paralyzed amid finals and other year-end activities when the education tech firm Instructure shut down access to its Canvas platform following a breach perpetrated by extortion actors.
Updated at 6:15 pm ET, May 12, 2026, to include comment from Flashpoint’s Ian Gray.
