Foxconn ransomware attack sees Apple and Nvidia data stolen

Foxconn has confirmed a ransomware attack on several of its North American factories after the Nitrogen ransomware group claimed on May 11 to have stolen 8TB of data comprising more than 11 million files. 

The attack affected facilities in Mount Pleasant, Wisconsin, and Houston, Texas, forcing some employees to fall back on pen and paper and sending others home until network access was restored. 

"The cybersecurity team immediately activated the response mechanism and implemented multiple operational measures to ensure the continuity of production and delivery," a Foxconn spokesperson told BleepingComputer. "The affected factories are currently resuming normal production."

Foxconn is the world's largest contract electronics manufacturer, with over 900,000 employees across 240 facilities in 24 countries and reported revenues above $260 billion in 2025. Its customer list reads like a who's who of the tech industry: Apple, Nvidia, Intel, Google, Dell, AMD, Microsoft, and Sony all rely on it for hardware production. 

That customer list is exactly what Nitrogen is using as leverage. The group claims the stolen files contain confidential instructions, internal project documentation, circuit board layouts, and technical drawings tied to projects at Apple, Nvidia, Intel, Google, Dell, and AMD. Sample files have been posted on Nitrogen's dark web leak site. Foxconn has not confirmed whether customer data was actually taken and declined to answer specific questions on the subject.

Who Nitrogen is and why paying up may not help

Nitrogen has been active since 2023 and operates as a double-extortion group: it encrypts victim files and simultaneously threatens to publish stolen data unless a ransom is paid. The group is believed to be built on code from the leaked Conti 2 ransomware builder and is suspected of having links to the ALPHV/BlackCat ecosystem. There is a significant problem with paying the ransom, however. 

In February 2026, Coveware researchers published a warning that a programming error in Nitrogen's ESXi encryptor causes it to encrypt all files with the wrong public key, making file recovery impossible even if the victim pays. This means Foxconn faces the prospect of losing access to encrypted data permanently, regardless of what it decides to do with the ransom demand.

Nitrogen made its name targeting companies in construction, financial services, manufacturing, and technology. Foxconn is its highest-profile victim to date. The Mount Pleasant facility primarily produces televisions and data servers rather than Apple consumer devices, which may limit the impact on Apple-specific product development. However, the Houston facility's product scope has not been detailed publicly.

A recurring target

This is at least the third major ransomware attack on Foxconn facilities in recent years. In December 2020, the DoppelPaymer group hit its Ciudad Juárez facility in Mexico, encrypting up to 1,400 servers, destroying 20 to 30TB of backups, and demanding $34 million in bitcoin. In 2022 and 2024, LockBit targeted Foxconn subsidiary Foxsemicon Integrated Technology. 

The pattern reflects the persistent attractiveness of large contract manufacturers as ransomware targets: they hold sensitive data for dozens of major customers, they run complex multi-site operations that create many potential entry points, and operational disruption has direct downstream consequences for the companies they supply.

Notebookcheck has covered the growing use of AI in ransomware and zero-day development this month, including Google's confirmation of the first AI-developed zero-day exploit used in a planned mass exploitation campaign.