The Nitrogen ransomware gang has compromised Foxconn's North American factories, exfiltrating approximately 8 TB of data including confidential documents from major tech clients. The group, which evolved from using a malware loader to its own ransomware strain based on leaked Conti code, claims the stolen files contain proprietary instructions and drawings. Foxconn has activated its incident response and is working to restore normal production operations at the affected facilities.
Foxconn confirms cyberattack claimed by Nitrogen ransomware gang By Sergiu Gatlan May 13, 2026 08:49 AM 0 Foxconn, the world's largest electronics manufacturer, says some of its North American factories are now working to resume normal operations after a cyberattack. The electronics giant has over 900,000 employees across over 240 campuses in 24 countries and reported revenues of over $260 billion in 2025. The company is ranked 28th in Fortune Global 500 and manufactures a wide range of electronic products for major tech companies worldwide, including Apple, Nvidia, Intel, and Google. The incident was confirmed by a Foxconn spokesperson when BleepingComputer asked the company to confirm claims by the Nitrogen ransomware operation earlier this week that they had stolen 8 TB of data and more than 11 million documents. "Some of Foxconn's factories in North America suffered a cyberattack," the company spokesperson told BleepingComputer in an emailed statement. "The cybersecurity team immediately activated the response mechanism and implemented multiple operational measures to ensure the continuity of production and delivery. The affected factories are currently resuming normal production." Nitrogen also says on their dark web leak site that the stolen Foxconn files contain "confidential instructions, projects and drawings" from Apple, Intel, Google, Nvidia, AMD, and other Foxconn customers. Foxconn entry on Nitrogen leak site (BleepingComputer) ​The threat actors behind the Nitrogen ransomware operation first surfaced in 2023 with a malware loader using the same name that deployed BlackCat/ALPHV ransomware payloads . The cybercrime group later developed its own ransomware strain using leaked Conti 2 builder code . However, according to Coveware security researchers, "a coding mistake in the ESXi malware causes it to encrypt all the files with the wrong public key, irrevocably corrupting them." While Nitrogen ransomware isn't the most active ransomware operation, it has slowly added dozens of victims to its leak site since 2024. This isn't the first time Foxconn has been hit by ransomware, with the LockBit ransomware gang claiming to have hit Foxconn subsidiary Foxsemicon in January 2024 and a Foxconn production plant in Tijuana, Mexico, in late May 2022 . In December 2020, the DoppelPaymer ransomware operation also claimed it hit Foxconn's CTBG MX facility in Ciudad Juárez and demanded a $34 million ransom after allegedly stealing 100GB of data, encrypting up to 1,400 servers, and destroying 20 to 30TB of backup data. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: Instructure reaches 'agreement' with ShinyHunters to stop data leak Trellix source code breach claimed by RansomHouse hackers Canvas login portals hacked in mass ShinyHunters extortion campaign Karakurt extortion gang ‘cold case’ negotiator gets 8.5 years in prison Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks