Foxconn has confirmed a cyberattack on several of its North American manufacturing facilities after the Nitrogen ransomware group listed the company on its dark web leak site on May 11, claiming 8 terabytes of stolen data spanning 11 million files. The attackers allege the stolen trove contains confidential project documentation, technical hardware drawings, circuit board layouts, and internal files tied to major Foxconn customers including Apple, Nvidia, Intel, Google, and Dell.

Foxconn confirmed on May 12 that its facility in Mount Pleasant, Wisconsin was impacted. An additional site in Houston, Texas was identified in Nitrogen’s leak-site claims. Production at affected facilities is resuming, the company said, offering no additional details on scope, timeline, or the status of any ransom demand.

Who Nitrogen Is

Nitrogen has operated since 2023 and is assessed to be one of several ransomware variants built from the leaked Conti 2 builder — the same codebase that spawned a wave of successor operations after the Conti ransomware group’s internal files and source code were published by a Ukrainian security researcher in 2022. The group operates as a double-extortion outfit: data is exfiltrated before encryption, giving the attackers two independent levers — restore access and suppress publication — that can be monetized separately or bundled.

Nitrogen is not among the top-tier ransomware brands by victim count, but the Foxconn claim represents a significant escalation in target profile. Foxconn is the world’s largest contract electronics manufacturer, producing hardware for most of the major names in consumer and enterprise tech. A confirmed breach at the scale Nitrogen claims would represent the group’s most consequential operation to date.

There is a critical operational detail that distinguishes Nitrogen from most ransomware groups: its decryptor is broken. In February 2026, Coveware researchers documented a programming error in Nitrogen’s decryption tooling that prevents recovery of encrypted files even when a victim pays the ransom in full. Nitrogen has not publicly acknowledged or fixed the defect. For Foxconn and any other Nitrogen victim, this means the encryption side of the attack is effectively irreversible. Paying produces shred logs, not file recovery. The only path to operational restoration is from backups.

What Was Taken — and What Is Disputed

The 8TB / 11 million file claim breaks down into several categories according to Nitrogen’s leak-site posting: internal project documentation, technical hardware drawings, circuit board layouts, integrated circuit documentation, temperature sensor records, and financial files associated with the Houston facility. The project-customer tie-ins — the Apple, Nvidia, Google, Dell, Intel references — are the most significant element of Nitrogen’s claim from a reputational and third-party liability standpoint.

Those specific claims are contested. An initial review by Foxconn and at least one of the named technology companies does not support the attackers’ assertion that data tied to Apple, Dell, or Nvidia was accessed. Apple has separately indicated it does not believe its data was compromised. The Mount Pleasant facility is relevant context: it primarily produces televisions and data servers, not Apple-branded consumer devices. Foxconn operates dozens of facilities across North America with different customer profiles; the presence of Apple files in a Wisconsin facility focused on other product lines is plausible but not established.

Cybernews independently reviewed a sample of files posted to Nitrogen’s leak site as proof of access and confirmed some legitimacy. The gap between the confirmed sample and the full 11 million file claim has not been independently verified.

The Attack Timeline

The first signs of disruption at the Mount Pleasant facility appeared on May 1. Employees reported Wi-Fi being cut off at 7 AM ET, followed by disruptions to core plant infrastructure by 11 AM ET. The operational profile — network disruption preceding encryption — is consistent with standard ransomware deployment methodology, where attackers establish persistence and data exfiltration before triggering the encryption payload.

Nitrogen’s dark web listing appeared on May 11, ten days after the initial disruption. The gap is consistent with a negotiation period during which the attackers allow private communications before escalating to public extortion. Foxconn’s confirmation came on May 12, the same day the listing attracted broad media attention.

The period between May 1 and May 11 was used either for failed negotiation, for continued exfiltration, or both. The size of the claimed dataset — 8TB — is large enough to require sustained exfiltration bandwidth over multiple days, which is consistent with the timeline.

Why a Foxconn Breach Matters Beyond Foxconn

Foxconn sits at the center of global hardware supply chains. Contract manufacturers of Foxconn’s scale hold technical documentation for products they build on behalf of clients — hardware specifications, component sourcing, assembly tolerances, prototype documentation — that is commercially and competitively sensitive to the original equipment manufacturers who commissioned it.

A breach of a contract manufacturer is structurally different from a breach of the OEM itself. The OEM controls its own security posture. It does not control the security posture of every partner facility that holds its technical files. If Nitrogen’s claim that Apple and Nvidia documentation is in the stolen dataset is accurate — even partially — those companies face exposure they had no direct ability to prevent.

This is the supply chain security problem in its clearest form: you are only as secure as the least-secure party that holds your data. For major technology companies that rely on complex international manufacturing networks, the attack surface extends to every facility in the chain.

The Decryptor Problem and What It Means

For Foxconn’s operational recovery, the broken Nitrogen decryptor shapes the response calculus entirely. Paying a ransom to Nitrogen produces two possible outcomes: a data suppression agreement (the same transaction Instructure made with ShinyHunters last week for the Canvas breach), or nothing, because the decryption key Nitrogen provides will not work. Either way, restoring encrypted systems from Nitrogen requires clean backups.

Organizations in manufacturing, industrial control, and supply-chain-adjacent verticals that have not already confirmed backup integrity and tested restoration procedures should treat the Foxconn incident as an operational prompt to do so. Nitrogen is not the only ransomware group operating with broken or unreliable decryptors — paying has become an even less reliable path to recovery than it was two years ago.

The FBI and CISA continue to advise against ransom payments. In Nitrogen’s case specifically, that advice is bolstered by a practical argument independent of policy: the payment does not restore operations.

What Foxconn Has Not Said

Foxconn’s public statement confirmed the attack and the Wisconsin facility involvement and said little else. It did not confirm whether a ransom demand had been received or was under negotiation. It did not confirm what data categories were accessed. It did not confirm whether the customer-file claims from Nitrogen had been verified or refuted through internal forensic review. It did not provide a timeline for completion of the forensic investigation.

The absence of detail is standard for the initial phase of a ransomware response — companies routinely limit public disclosure while negotiations are active and forensic scope is being established. What Foxconn has not said will become more significant if Nitrogen begins releasing data.

The listing remains active on Nitrogen’s dark web site as of publication.

Sources

  • The Register: Foxconn confirms cyberattack after Nitrogen claims Apple, Nvidia data theft (May 12, 2026)
  • BleepingComputer: Electronics giant Foxconn confirms cyberattack on North American factories
  • TechCrunch: Ransomware hackers claim breach at Foxconn, a major electronics manufacturer for Apple, Google, and Nvidia (May 13, 2026)
  • Coveware: Nitrogen ransomware decryptor defect advisory (February 2026)
  • Cybernews: Major Apple partner Foxconn allegedly breached with 11M files stolen

Breached.Company covers state-sponsored cyber and hybrid threats, breach disclosures, and signals intelligence for the security community. For threat intelligence retainers and vCISO consulting, CISO Marketplace connects you with vetted advisors.