Key Takeaway
– Nitrogen ransomware claims 8TB/11M stolen files and hit Foxconn’s Mount Pleasant, WI, and Houston, TX facilities; production is resuming.
– Alleged stolen data include confidential instructions, internal project docs, circuit layouts tied to Apple, Nvidia, Intel, Google, Dell, and AMD; Foxconn has not confirmed data theft.
– Nitrogen operates a double-extortion model (encrypts data and threatens public release); a programming error in Nitrogen’s ESXi encryptor could render data unrecoverable even if ransom is paid.
– This marks Foxconn’s third major ransomware incident in recent years (DoppelPaymer 2020; LockBit 2022/2024), highlighting the risk to large, multi-site manufacturers.
Foxconn has confirmed a ransomware attack on several North American factories after the Nitrogen ransomware group claimed on May 11 to have stolen 8TB of data comprising more than 11 million files. The attack affected facilities in Mount Pleasant, Wisconsin, and Houston, Texas, forcing some employees to fall back on pen and paper and sending others home until network access was restored.
Ransomware claim and immediate impact
“The cybersecurity team immediately activated the response mechanism and implemented multiple operational measures to ensure the continuity of production and delivery,” a Foxconn spokesperson told BleepingComputer. “The affected factories are currently resuming normal production.”
Company scale and customer base
Foxconn is the world’s largest contract electronics manufacturer, with over 900,000 employees across 240 facilities in 24 countries and reported revenues above $260 billion in 2025. Its customer list reads like a who’s who of the tech industry: Apple, Nvidia, Intel, Google, Dell, AMD, Microsoft, and Sony all rely on it for hardware production.
- Apple
- Nvidia
- Intel
- Google
- Dell
- AMD
- Microsoft
- Sony
Stolen data and Nitrogen group
That customer list is exactly what Nitrogen is using as leverage. The group claims the stolen files contain confidential instructions, internal project documentation, circuit board layouts, and technical drawings tied to projects at Apple, Nvidia, Intel, Google, Dell, and AMD. Sample files have been posted on Nitrogen’s dark web leak site. Foxconn has not confirmed whether customer data was actually taken and declined to answer specific questions on the subject.
Ransomware mechanics and risk
Nitrogen has been active since 2023 and operates as a double-extortion group: it encrypts victim files and simultaneously threatens to publish stolen data unless a ransom is paid. The group is believed to be built on code from the leaked Conti 2 ransomware builder and is suspected of having links to the ALPHV/BlackCat ecosystem. There is a significant problem with paying the ransom, however.
Coveware warning and data loss risk
In February 2026, Coveware researchers published a warning that a programming error in Nitrogen’s ESXi encryptor causes it to encrypt all files with the wrong public key, making file recovery impossible even if the victim pays. This means Foxconn faces the prospect of losing access to encrypted data permanently, regardless of what it decides to do with the ransom demand.
Past incidents and pattern
Nitrogen made its name targeting companies in construction, financial services, manufacturing, and technology. Foxconn is its highest-profile victim to date. The Mount Pleasant facility primarily produces televisions and data servers rather than Apple consumer devices, which may limit the impact on Apple-specific product development. However, the Houston facility’s product scope has not been detailed publicly. This is at least the third major ransomware attack on Foxconn facilities in recent years. In December 2020, the DoppelPaymer group hit its Ciudad Juárez facility in Mexico, encrypting up to 1,400 servers, destroying 20 to 30TB of backups, and demanding $34 million in bitcoin. In 2022 and 2024, LockBit targeted Foxconn subsidiary Foxsemicon Integrated Technology.
