Foxconn Confirms North America Cyberattack After Nitrogen Ransomware Gang Claims 8TB Stolen Including Apple, Intel, Google, and Nvidia Project Files
Foxconn, the world's largest electronics manufacturer with over 900,000 employees across 240 campuses in 24 countries and revenues exceeding $260 billion in 2025, has confirmed a ransomware cyberattack targeting its North American operations after the Nitrogen ransomware gang publicly listed the company on its dark web leak site. The Nitrogen group claimed on Monday to have breached Foxconn's systems and exfiltrated 8 terabytes of data comprising more than 11 million files — including confidential instructions, internal project documentation, and technical drawings linked to major technology clients including Apple, Intel, Google, Dell, Nvidia, and AMD. Foxconn confirmed the breach the following day, stating that cybersecurity teams immediately activated response mechanisms and that affected factories are currently resuming normal production.
Analysis of publicly released sample files has revealed the full scope of what Nitrogen claims to have taken — and the implications extend far beyond Foxconn itself. Confirmed sample content includes financial documents from the Houston facility, circuit board layouts, temperature sensor data, integrated circuit documentation, and critically, network topology maps for AMD, Intel, and Google projects. The exposure of network topology maps has alarmed security analysts significantly. These documents are architectural maps of operational infrastructure — in the wrong hands they can be used to identify vulnerabilities in data centres globally, effectively providing a blueprint for downstream attacks against the world's most critical technology infrastructure. Affected Foxconn facilities reportedly include its plant in Mount Pleasant, Wisconsin, and a factory in Houston, Texas, where some staff were temporarily required to use pen and paper or work from home during the disruption.
Nitrogen has been active since 2023 and is believed to have built its ransomware strain on leaked source code from the Conti 2 builder, with suspected links to the ALPHV/BlackCat ransomware ecosystem. The group operates a double-extortion model — encrypting victim data while simultaneously threatening public release to maximise pressure on victims to pay. However, Coveware security researchers issued a warning in February 2026 that a coding error in Nitrogen's ESXi-targeting malware causes it to encrypt files with the wrong public key — irrevocably corrupting them and rendering the group's decryptor entirely useless. This means that for ESXi-based environments, paying the ransom demand does not guarantee — and may not enable — recovery of encrypted files.
This incident marks at least the third major ransomware attack against Foxconn or its subsidiaries. In January 2024, LockBit claimed to have hit Foxconn subsidiary Foxsemicon. In May 2022, a Foxconn production plant in Tijuana, Mexico, was targeted by the same group. As far back as December 2020, the DoppelPaymer ransomware operation hit Foxconn's Ciudad Juárez facility, demanding a $34 million ransom after allegedly encrypting up to 1,400 servers and destroying 20 to 30 terabytes of backup data. The pattern of repeated targeting underscores persistent and systemic security vulnerabilities within global electronics supply chains — vulnerabilities that become exponentially more consequential when the victim is a manufacturer holding sensitive project files for virtually every major technology company in the world.