Ransomware group is trying to defraud electronics giant Foxconn, claiming to have stolen 8 terabytes of data from the company, including plans and project details from customers including Dell, Google, Apple, and Nvidia. Foxconn did not immediately respond to WIRED’s request for comment on the validity of the claims, but the company acknowledged that some of its North American factories were “suffered by a cyberattack” in recent days, and that “affected factories are currently resuming normal production” after the outage.
Foxconn is a very attractive target for ransomware and data thieves, because it is a large company with divisions and subsidiaries around the world that not only hold its intellectual property but also that of its customers. The company is a major manufacturing contractor for electronics or all devices, including Apple’s iPhones.
“Ransomware groups are increasingly targeting victims that can impact the market, whether physical or software,” said Allan Liska, threat intelligence analyst at security firm Record Future. “So it’s not surprising that a company like Foxconn would be targeted, because it produces and holds sensitive information for many companies around the world.”
The attackers, known as the Nitrogen Group, listed Foxconn as the site of the breach on Monday. Nitrojeni, which appeared in 2023, is not the most advanced or prosperous ransom actor, but it has been active continuously with some spikes, including at the end of 2024. The group, which often targets victims in North America and Western Europe, also has connections to the popular ALPHV/BlackCat ransomware group.
“Although reports indicate that Nitrogen has been active since 2023, our first sighting of their activity was in 2024, targeting Control Panels USA,” said Ian Gray, vice president of intelligence at security firm Flashpoint. “We’ve seen about 50 victims since launch, mostly targeting manufacturing, technology, and retail. Manufacturing is one of the most targeted sectors for ransomware in general.”
The idea of Foxconn as a target is not just an idea. The company has faced a number of extortion attempts, including a December 2020 attack in Mexico where the DoppelPaymer ransomware group demanded 1,804 bitcoins (worth about $34 million at the time). The LockBit group attacked another Foxconn facility in Mexico in May 2022 and disrupted production. Recently, LockBit attacked Foxsemicon Integrated Technology subsidiary 2024 with corruption and data breach claims.
In addition to trying to trick victims into threatening to release the data stolen from the attack, Nitrogen also often uses traditional ransomware that encrypts the target’s systems. Researchers say that this ransomware group’s program is based on the widely used “Conti 2” code, but it has a problem. Nitrogen’s encryption method has a design flaw that makes it impossible to decrypt data once it’s encrypted—even if attackers want to compromise victims’ systems. It is unclear whether this is the cause of the Foxconn incident this week.
Ransomware and data extortion is a long-standing digital security problem, and attackers often repeat targets and descend to new heights in carrying out massively disruptive attacks. Last week, thousands of schools around the US were paralyzed in the middle of finals and other end-of-year activities when education company Instructure blocked access to its Canvas platform following a breach of rules by fraudulent actors.
Updated at 6:15 pm ET, May 12, 2026, to include comments from Flashpoint’s Ian Gray.
