Ransomware Crew Claims Apple and Nvidia Secrets From Foxconn Breach

The factory in Mount Pleasant, Wisconsin, was back to normal production by May 12. The 8 terabytes of data stolen from its network were not coming back.

Foxconn — the world’s largest electronics manufacturer, physically building devices for Apple, Nvidia, Google, Dell, Intel, and dozens of others — confirmed this week that its North American operations were hit by a ransomware attack. A group calling itself Nitrogen claims to have walked out with 11 million files: assembly instructions, hardware schematics, and network topology diagrams belonging to some of the most valuable technology companies on Earth.

What happened at Mount Pleasant

The breach first surfaced on Friday, May 1. Workers at Foxconn’s Racine County campus reported a full network collapse — Wi-Fi cut off at 7 AM, core plant infrastructure disrupted by 11 AM. Staff were told to power down their computers and stay offline. Timecard terminals went dark. Employees filled out paper timesheets.

“We were told to turn off our computers and not log back in under any circumstances,” one worker told The CyberSec Guru, asking not to be identified. “The timecard terminals were dead.”

Internal notices cited ongoing network problems through at least Tuesday, May 5. The facility had recently received a $569 million investment to ramp up AI server and cloud infrastructure production, placing it at the center of the domestic high-performance computing supply chain. The outage hit in the middle of that build-out.

On May 11, Nitrogen listed Foxconn on its dark web extortion site and released sample files as proof. Analysts who reviewed the samples describe step-by-step assembly guides for proprietary server hardware, network topology diagrams for Google and Intel data centers, and design schematics for components linked to Apple, Nvidia, and Dell.

Mark Henderson, a cybersecurity analyst tracking the group, told The CyberSec Guru that the topology specs are “architectural maps of live infrastructure.” If authentic, they could be used to locate vulnerabilities in data centers worldwide.

Foxconn has not confirmed whether the sample files are genuine. Apple, Google, Intel, Nvidia, and Dell have not publicly commented.

The concentration problem

Foxconn is the textbook single point of failure in global technology manufacturing. The company doesn’t just make products — it holds the intellectual property of its clients in the form of schematics, assembly instructions, and design files that represent billions of dollars in R&D.

“Ransomware groups are increasingly targeting victims that can impact the supply chain, whether it is physical or software,” Allan Liska, a threat intelligence analyst at Recorded Future, told WIRED. Foxconn, he noted, “does manufacturing and holds sensitive data for so many companies around the world.”

One breach. One target. The blast radius covers half of Silicon Valley.

Ian Gray, vice president of intelligence at Flashpoint, said Nitrogen has logged roughly 50 victims since emerging in 2023, primarily targeting manufacturing, technology, and retail. Manufacturing, he said, is “one of the most-targeted sectors for ransomware in general.”

A recurring target

Foxconn has been here before. In December 2020, DoppelPaymer hit a facility in Ciudad Juárez, Mexico, demanding $34 million and reportedly deleting 30 terabytes of backup data. LockBit disrupted production at a Baja California plant in May 2022, then attacked Foxconn subsidiary Foxsemicon Integrated Technology in 2024. Three major ransomware incidents in six years, all targeting North American manufacturing.

The push toward IoT-integrated, cloud-connected production — the so-called Industry 4.0 model — has expanded the attack surface each time.

The data is already gone

Nitrogen typically spends weeks inside a target’s network before triggering visible disruption, prioritizing data exfiltration over immediate encryption. Entry is usually through compromised VPNs or remote desktop access. Once inside, the group moves laterally to locate backup servers and file repositories, staging data quietly.

By the time anyone noticed at Mount Pleasant, the files were almost certainly already exfiltrated.

There is an additional wrinkle. According to Coveware, Nitrogen’s encryption mechanism has a critical design flaw: the public key used during encryption gets corrupted, making files impossible to decrypt even if the victim pays. Whether this has complicated Foxconn’s incident response is unclear.

On the consumer side, analysts have found no evidence of personal data — user accounts or customer information — in the theft. The files appear to be exclusively industrial. AppleInsider’s analysis suggests Apple-specific data may be limited, since the Wisconsin facility primarily produces televisions and data servers rather than iPhones. But the published samples represent a fraction of 8 terabytes. The full scope is unknown.

Nitrogen has not published a payment demand. Whether the group sells the data, leaks it, or simply holds it as leverage is unclear.

Foxconn said it “immediately activated emergency response mechanisms and implemented a series of contingency measures to ensure the continuity of production and delivery, as well as the protection of data.” The factories are running again. Whether the secrets are still secret is another question.

Sources

Cyberattack on Certain North American Operations — Investegate / Hon Hai Precision Industry
Foxconn Ransomware Attack Shows Nothing Is Safe Forever — WIRED
Nitrogen Ransomware Claims 8TB Theft from Foxconn’s Wisconsin Plant — The CyberSec Guru
Hackers attack Foxconn again, Apple doesn’t appear to be at risk — AppleInsider

Discussion (10)

janne_k

8 terabytes is A LOT of data!! How do you even move that without anyone noticing?? Hope Apple and Nvidia are okay, this sounds really bad for them.

2 ↑

Mitch R.

So let me get this straight. Foxconn gets hit with ransomware for the FOURTH time and companies just keep handing them their IP? At some point this isn't a Foxconn problem, it's an Apple/Nvidia/Google problem for trusting them.

27 ↑

DefinitelyNotDave

the encryption has a design flaw that makes files impossible to decrypt even if you pay?? so what exactly is the business model here lmao. these hackers are incompetent

14 ↑

sarah_l

$569M investment in that facility and they get popped through a VPN. Incredible.

19 ↑

marcus_t

The article says "11 million files" but I'd be curious to know how they arrived at that number. Is that Nitrogen's claim or has it been independently verified? Also the 8TB figure — is that compressed or raw? Makes a big difference in terms of how long exfiltration would take over a VPN connection. Back-of-napkin: 8TB over a 100Mbps connection would be roughly 8 days of continuous transfer. They were probably in there a lot longer than anyone realizes.

11 ↑

@marcus_t I think the article says they typically spend weeks inside before triggering disruption? So yeah probably longer than 8 days. Scary stuff.

3 ↑

rk_wisconsin

my brother in law works at the mount pleasant plant. he was sent home that friday with no explanation and they didnt tell the workers ANYTHING for days. just "network issues". found out from the news that it was ransomware. real classy foxconn

33 ↑

techmom72

This is why I don't trust the cloud. One breach and ALL your data is gone. I keep everything on an external hard drive.

4 ↑

chip_architect

For everyone panicking about Apple schematics — the Wisconsin plant mostly makes TVs and servers, not iPhones. The article literally says that. The Intel/Google data center topology stuff is way more concerning imo. That's live infrastructure mapping.

16 ↑

pqr_881

paper timesheets in 2026 lol

8 ↑