Foxconn Confirms North American Cyberattack; Nitrogen Ransomware Group Claims 8TB Data Breach
Foxconn has confirmed a cyberattack affecting several of its North American facilities. The Nitrogen ransomware group claims to have exfiltrated approximately…
On May 12, 2026, electronics manufacturing giant Foxconn confirmed a cyberattack targeting several of its North American factories. Simultaneously, the Nitrogen ransomware group claimed responsibility for the breach, asserting it had exfiltrated approximately 8 terabytes of data and nearly 11 million files. The incident, which caused operational disruptions at the company's Wisconsin site beginning the previous Friday, raises immediate questions regarding the cybersecurity resilience of the world’s largest contract electronics manufacturer.
- A Foxconn spokesperson confirmed the attack on North American facilities, stating that incident response protocols were activated and production is currently resuming.
- An employee at the Mount Pleasant, Wisconsin, facility told DysruptionHub that the site faced days of Wi-Fi outages and unusable computers, forcing staff to work with pen and paper.
- Nitrogen published its claim on Monday, May 11, 2026, alleging the theft of technical documentation related to Intel, Apple, Google, Dell, and Nvidia; these claims have not been independently verified.
- Active since 2023 and utilizing code derived from the 2022 Conti leak, Nitrogen has not yet publicized a specific ransom demand, nor has the use of encryption (beyond data exfiltration) been confirmed.
Operational Disruptions in Wisconsin: Official Confirmation
In an email to The Record, a Foxconn spokesperson confirmed that several North American factories were hit by a cyberattack. The company did not disclose the exact number or a complete list of the affected facilities. According to the threat actors, the targeted sites include plants in Wisconsin, Ohio, Texas, Virginia, Indiana, and Mexico; however, this geography is based on the criminal group's claims rather than an official corporate bulletin.
At the Mount Pleasant facility in Wisconsin, the impact was felt as early as the Friday preceding the official confirmation. An employee interviewed by DysruptionHub and cited by The Record reported that the Wi-Fi connection had failed, computers were inoperable, and personnel were forced to rely on pen and paper for daily tasks. Foxconn had previously acknowledged "technical issues" at the center without initially using the term "cyberattack."
The corporate response was immediate. The spokesperson stated that the cybersecurity team activated incident response protocols and that the factories are now returning to normal production levels. While the operational update is reassuring, the communication does not clarify whether systems were encrypted or if the breach was limited to data exfiltration, nor does it provide details on the initial entry vector.
"The cybersecurity team immediately activated the response mechanism and implemented multiple operational measures to ensure the continuity of production and delivery. The affected factories are currently resuming normal production." — Foxconn spokesperson to The Record
Nitrogen Claims 8TB Data Theft on the Dark Web
The Nitrogen ransomware group posted its claim of the attack on Monday, May 11, 2026. In the announcement, the collective stated it had stolen approximately 8 terabytes of data and nearly 11 million files. While the volume and sensitivity of this information cannot be independently verified at this time, Silicon Republic reported that the group has shared file samples on a dark web portal.
In its claim, Nitrogen indicated that the exfiltrated documents include technical information related to projects for Intel, Apple, Google, Dell, and Nvidia. This list of potentially affected clients is based solely on the criminal group's assertions and has not been confirmed by forensic or official reports. Furthermore, it is unclear whether the attack compromised client systems directly or was limited to Foxconn’s internal infrastructure.
As of this writing, no specific ransom amount has been made public, and it remains unconfirmed if production servers were encrypted. The absence of forensic reports from security vendors involved in the investigation leaves the exact nature of the double-extortion tactics used in this campaign currently unclear.
Threat Actor Profile: From Conti Code to Foxconn
Nitrogen is a known entity in the threat landscape. According to researchers at Barracuda Networks, cited by The Record, "Nitrogen is a sophisticated and financially motivated threat group that was first observed as a malware developer and operator in 2023." The group employs a decryptor derived from the Conti ransomware source code leaked in 2022, placing it within a wider ecosystem of operations utilizing well-established codebases.
Silicon Republic cited contextual analysis from StepSecurity regarding the decryptor used, confirming its Conti lineage. The use of a known builder does not suggest a lower level of risk; on the contrary, the group’s operational maturity—demonstrated by its ability to hit a global target like Foxconn, which reported 2025 revenues of approximately $258.3 billion—suggests advanced capabilities in reconnaissance and initial access.
Foxconn has been targeted by ransomware in previous years, specifically in 2020, 2022, and 2024, though no direct link has been established between those incidents and the current Nitrogen campaign. However, the confirmation of a new breach raises structural questions about the defensive posture of a critical player in the global electronics industry.
The Gap Between Operational Recovery and IP Risk
Foxconn’s communication strategy has prioritized operational continuity. The resumption of normal production is the dominant message, consistent with Foxconn’s role as a vital link in the supply chain for the world's leading electronics vendors. However, Nitrogen’s claims introduce a second, more complex challenge that cannot be resolved by production updates alone: the potential exposure of technical drawings and engineering documentation.
This highlights a paradox within the global supply chain. A contract manufacturer handles third-party proprietary data on an industrial scale, but its public messaging necessarily prioritizes the assembly line. If the samples published on the dark web are authentic, the consequences extend beyond Foxconn to its entire client ecosystem.
The true impact lies in this uncertainty. While production may have resumed, the data could already be out of the company’s control. For the tech giants that rely on Foxconn, the primary concern is no longer the assembly line, but rather the verification—a process likely to take weeks or months—of exactly what information was exfiltrated from the servers.
Strategic Response and Mitigation
Organizations connected to the Foxconn supply chain, particularly industrial partners with technical data hosted on the manufacturer's systems, should prioritize several key actions.
First, verify the integrity and the physical/logical isolation of production backups and document repositories, as Nitrogen’s modus operandi typically involves massive data exfiltration. Second, conduct an immediate audit of historical access logs for resources containing blueprints and specifications related to the clients mentioned in the claim to map potential unauthorized access.
Third, intensify monitoring of dark web markets and specialized forums, as the group has already released file samples and may publish the full archive in the coming weeks. Fourth, isolate industrial network segments and reduce the attack surface on remote access protocols, given that Conti-derived codebases frequently utilize lateral movement techniques once initial access is achieved.
This incident demonstrates that industrial scale does not provide an automatic shield against ransomware groups using leaked code and compromised credentials. Foxconn’s official confirmation marks the end of the initial incident phase, but initiates a much longer period of assessing the damage to intellectual property and supply chain trust.
Frequently Asked Questions
Which group claimed responsibility for the Foxconn attack?
The Nitrogen ransomware group, active since 2023 and known for double-extortion operations. Researchers at Barracuda Networks describe them as a financially motivated entity using code derived from the Conti ransomware builder.
Has Foxconn confirmed the theft of data from clients like Intel, Apple, or Nvidia?
No. Foxconn has only confirmed a cyberattack on its North American factories and the resumption of production. The list of clients and the nature of the stolen files are currently based solely on unverified claims made by the Nitrogen group.
Was the attack limited to the Wisconsin facility?
No. While the Mount Pleasant site experienced documented disruptions, Nitrogen's claims and subsequent reports mention facilities in Ohio, Texas, Virginia, Indiana, and Mexico. Foxconn has not provided a comprehensive list of all affected plants.