Foxconn Nitrogen ransomware breach (2026)

The Nitrogen ransomware group claimed on its dark-web leak site that it had stolen over 11 million files from Foxconn's North American facilities, including confidential information belonging to customers Apple, Dell, Google, Intel, Nvidia, and Sony. Foxconn said affected factories were resuming normal production.

In May 2026, the Nitrogen ransomware group posted on its dark-web leak site that it had breached Foxconn — the world's largest contract electronics manufacturer and a key supplier to virtually every major consumer-tech brand — and exfiltrated over 11 million files from its North American facilities.

What happened

Nitrogen is a double-extortion crew: it both encrypts files and steals data to pressure victims into paying. On 13 May 2026 it published a claim that it held 11M+ files from Foxconn's North American operations. According to the public posting, the stolen archive includes confidential information belonging to Foxconn customers — names cited include Apple, Dell, Google, Intel, Nvidia, and Sony — the kind of supply-chain data that competitors and nation-state collectors would pay handsomely to read.

Foxconn confirmed that a cyberattack had affected facilities in North America and said the affected factories were "currently resuming normal production" but declined to answer detailed questions.

Impact

Over 11 million files claimed stolen by Nitrogen.
North American Foxconn facilities affected; production reportedly recovering.
Customer data implicated for six of the largest consumer-tech brands.
No public ransom amount disclosed; Foxconn has not confirmed payment or non-payment.

Why it matters

Contract manufacturers like Foxconn are an upstream concentration point in the global tech supply chain. A breach of one factory operator can simultaneously hand attackers confidential roadmaps, BOMs, and pricing data for dozens of brands. The Nitrogen extortion playbook — leak-site claim first, factory recovery in parallel — is now the default shape of every large-scale manufacturer ransomware incident.

Timeline

May 13, 2026

Nitrogen ransomware gang claims responsibility on its dark-web leak site, asserting it stole more than 11 million files from Foxconn's North American facilities.

May 1, 2026

Foxconn confirms a cyberattack affected facilities in North America; affected factories are 'currently resuming normal production'.

Related incidents

RansomwareRansom paidJune 18, 2024

CDK Global BlackSuit ransomware (2024)

BlackSuit operators encrypted CDK Global's dealer-management platform, knocking ~15,000 North American car dealerships offline for nearly two weeks. A second attack hit on day two of recovery. Industry losses estimated at over $1 billion; CDK reportedly paid a $25 million ransom.

Victim: CDK Global
Loss: $1.00B

RansomwareContainedJanuary 17, 2024

Schneider Electric Sustainability Business Cactus ransomware (2024)

Cactus ransomware operators hit Schneider Electric's Sustainability Business division, taking the Resource Advisor consulting platform offline and exfiltrating approximately 1.5 TB of data — including passport scans and signed NDAs from customers like Hilton, PepsiCo, and Walmart.

Victim: Schneider Electric — Sustainability Business division

RansomwareContainedOctober 27, 2023

Boeing LockBit ransomware via Citrix Bleed (2023)

LockBit operators exploited the Citrix Bleed vulnerability (CVE-2023-4966) to enter Boeing's parts and distribution business. Boeing did not pay; LockBit leaked roughly 45 GB of data, including Citrix logs, email backups, supplier lists, and 2020 pricing data.

Victim: Boeing — Parts and Distribution business

RansomwareRansom paidMay 30, 2021

JBS Foods REvil ransomware

REvil affiliates encrypted the world's largest meat processor, shutting down beef and pork plants across the U.S., Canada, and Australia. JBS paid an $11 million ransom — one of the largest publicly-confirmed ransomware payments at the time.

Victim: JBS S.A. / JBS USA
Loss: $100.0M