Foxconn Confirms Ransomware Attack on US Factories After 8TB Theft Claim

Foxconn, the world's largest electronics manufacturer, confirmed a cyberattack on its North American operations after the Nitrogen ransomware group claimed to have stolen 8 terabytes of data—including files allegedly belonging to Apple, Nvidia, Intel, Google, and Dell.

The attack struck Foxconn's facilities in Mount Pleasant, Wisconsin and Houston, Texas in early May. Network issues began May 1 at 7 AM ET, with plant infrastructure disruptions escalating by 11 AM. Production halted for approximately a week before partial operations resumed.

What Nitrogen Claims to Have Stolen

The ransomware gang posted Foxconn on its leak site this week, claiming to possess:

• 8 terabytes of data spanning more than 11 million documents
• "Confidential instructions, projects and drawings" from Apple, Intel, Google, Nvidia, AMD, and Dell
• Product schematics, technical guidelines, and internal bank statements

However, some analysts question the severity of the data exposure. The Mount Pleasant facility primarily manufactures televisions and data servers—not Apple devices. Sample files published by Nitrogen haven't shown circuit diagrams or product development documents that would indicate access to Foxconn's most sensitive customer data.

Foxconn's Response

The company acknowledged the breach in a statement: "Some of Foxconn's factories in North America suffered a cyberattack. The cybersecurity team immediately activated the response mechanism and implemented multiple operational measures to ensure the continuity of production and delivery. The affected factories are currently resuming normal production."

Foxconn hasn't disclosed whether it's negotiating with the attackers or what specific data was compromised.

The Problem With Paying Nitrogen

Here's where it gets worse for any victim considering payment: Nitrogen's decryptor doesn't work.

In February 2026, Coveware researchers warned that a programming error in Nitrogen's ransomware encrypts files with incorrect keys. The bug means the gang's own decryption tool can't recover victim data. Paying the ransom is functionally useless—files remain corrupted regardless.

This isn't uncommon among ransomware operations that borrow code from leaked builders. Nitrogen reportedly built its encryption tool using the Conti 2 builder code that leaked in 2022, and coding flaws carried over.

Fourth Time's the Charm

Foxconn has become something of a ransomware repeat victim. This marks the company's fourth significant extortion incident in six years:

• 2024: LockBit targeted Foxconn operations
• 2022: LockBit hit a Mexican facility, disrupting production
• 2020: DoppelPaymer breached a Mexico facility and demanded 1,804 Bitcoin (roughly $34 million at the time)

The pattern suggests either persistent security gaps or that Foxconn's massive attack surface—900,000+ employees across 240 campuses in 24 countries generating $260 billion in 2025 revenue—simply offers too many entry points. For a company manufacturing components for nearly every major tech firm, repeated ransomware incidents raise supply chain integrity questions.

The West Pharmaceutical ransomware attack disclosed this week similarly highlighted how attacks on manufacturers ripple through customer supply chains. When critical suppliers go offline, everyone downstream feels it.

Who Is Nitrogen?

Nitrogen started in 2023 as a malware loader delivering BlackCat/ALPHV ransomware. By mid-2024, the group evolved into an independent operation running its own ransomware strain and conducting double-extortion attacks—encrypting systems while threatening to leak stolen data.

According to Ransomware.live tracking, Nitrogen has claimed 47 victims to date. The majority (33) are in the United States, with six in Canada. The group's infrastructure has been linked to Eastern European operations.

Double extortion has become the dominant ransomware model because it works even when backups exist—the same tactic INC Ransom recently deployed against maritime targets. Encrypting files creates operational pressure; threatening to leak data adds reputational and regulatory pressure. For organizations handling customer data from multiple Fortune 500 companies, that second threat carries significant weight.

For organizations facing similar threats, our ransomware defense guide covers preparation fundamentals—including why backup restoration alone doesn't neutralize modern attacks.

What Happens Next

Foxconn stated production is resuming at affected facilities, but the data exposure question remains open. If Nitrogen's claims about Apple and Nvidia files are accurate, those companies face potential intellectual property exposure through a third-party breach.

Neither Apple, Nvidia, Intel, nor the other named companies have publicly commented on whether their data was actually compromised. Given the Mount Pleasant facility's focus on consumer electronics and servers rather than Apple hardware, the actual sensitivity of stolen materials may be limited.

Still, 8 terabytes represents substantial data regardless of classification. Foxconn's pattern of ransomware incidents—four in six years—suggests the company remains in attackers' crosshairs. Whether this reflects inadequate security investment or simply the reality of defending a massive global manufacturing operation, the trend isn't encouraging for customers depending on Foxconn's supply chain integrity.