On May 11, 2026, the Nitrogen ransomware group claimed to have stolen 8 terabytes of data from Foxconn’s Mount Pleasant, Wisconsin facility — over 11 million files including assembly instructions, data center topology diagrams for Google and Intel, and hardware schematics linked to Apple, NVIDIA, and Dell.
Foxconn confirmed the attack: “Some of Foxconn’s factories in North America suffered a cyberattack. The cybersecurity team immediately activated the response mechanism and implemented multiple operational measures to ensure the continuity of production and delivery. The affected factories are currently resuming normal production.”
Foxconn has not confirmed ransomware, data theft, or a ransom demand. The company described it as a technical issue affecting IT systems.
Timeline of Events
May 1, ~3:30 AM — Third-shift workers stop production; network outage begins. First-shift workers arrive at 7:00 AM to find no Wi-Fi; managers send workers home by 11:00 AM. May 1–4 — Production shut down; timecard terminals unusable; employees fill out paper timesheets.
Manufacturing remained affected until May 12, 2026. Workers were told: “Turn off your computers and not log back in under any circumstances.”
May 11 — Nitrogen posts Foxconn on its dark web leak site with sample files as proof.
May 12 — Foxconn publicly confirms the cyberattack.
What Was Allegedly Stolen
The stolen data reportedly includes confidential instructions, internal project documentation, and technical drawings related to projects at Intel, Apple, Google, Dell, and Nvidia, among others. Foxconn declined to confirm that these — or any — customers’ information was exfiltrated.
Analysts who reviewed the sample files noted stolen financial documents related to Foxconn’s Houston, Texas facility, plus documentation related to temperature sensors, integrated circuits, and board layouts.
On Apple specifically: Based on the samples, it does not appear that Nitrogen obtained Apple schematics, documentation related to Apple product development teams, or Apple quality control data. The Mount Pleasant facility primarily produces televisions and data servers rather than Apple devices.
The real concern flagged by analysts: The topology specifications for Google and Intel are architectural maps of live infrastructure. Attackers could use this data to identify vulnerabilities in data centers across the world.
About Nitrogen Ransomware
Nitrogen has been active since 2023 and is believed to be one of the various ransomware offshoots that borrowed code from the leaked Conti 2 builder.
Nitrogen operates as a ransomware-as-a-service (RaaS) group linked to Eastern European operators and possibly connected to the BlackHat/ALPHV ransomware cartel. It employs a double-extortion model.
Foxconn’s Ransomware History
Foxconn has now faced ransomware incidents at North American plants in 2020 (DoppelPaymer), 2022 (LockBit 2.0 alleged), 2025 (FIT subsidiary), and 2026 (Nitrogen). A serial target, not a one-off.
Facility Context
The Mount Pleasant campus is a hub for AI server production, recently expanded with a $569 million investment. Targeting a facility of this profile — producing infrastructure hardware for hyperscalers — amplifies the downstream risk far beyond the factory floor.
Supply Chain Implications
If Nitrogen’s claims are even partially accurate, downstream consequences for Foxconn’s customers could be severe: leaked schematics could be reverse-engineered by competitors or used to find zero-day vulnerabilities in components. Network topology diagrams for Google and Intel could be weaponized for targeted physical or digital penetration campaigns across multiple facilities.
Indicators to Monitor
- Dark web activity on Nitrogen’s leak site for full data dump release
- Secondary targeting of named customer organizations — Intel, Google, Dell, NVIDIA
- Credential exposure: 53 compromised employees, 719 compromised users, 185 third-party employee credentials, and 137 external attack surface entries identified.
Mitigation Guidance
For Foxconn’s supply chain partners and customers:
- Immediately audit shared credentials and third-party VPN access tied to Foxconn systems
- Rotate any credentials shared with Foxconn-connected environments
- Review data center topology access — particularly Google and Intel infrastructure teams
- Activate supply chain incident response playbooks
- Enforce zero-trust for all third-party hardware manufacturer integrations
- Monitor for leaked schematics or internal documentation appearing in threat actor forums
