Foxconn Hit by Nitrogen Ransomware: 8TB of Apple, Nvidia & Google Schematics Stolen in 2026

The Foxconn ransomware attack of 2026 just became one of the most alarming supply chain cybersecurity incidents of the decade. The Nitrogen ransomware gang has confirmed it breached Foxconn’s North American operations and claims to have stolen 8 terabytes of data comprising 11 million files — including confidential product schematics and project files from Apple, Nvidia, Google, Dell, and Intel. If verified, this isn’t just a Foxconn problem. It’s a problem for every major tech company that trusts Foxconn to manufacture their most sensitive hardware.

Foxconn confirmed the breach on May 12, 2026, acknowledging that its facility in Mount Pleasant, Wisconsin had been hit. The company described the incident as affecting “some North American facilities” — language that cybersecurity researchers are calling a masterclass in corporate understatement.

What Happened: Foxconn’s North American Facilities Hit

The Foxconn ransomware attack began as what the company initially described as an “IT outage” at its Wisconsin plant. Within days, the truth emerged: the Nitrogen ransomware group had infiltrated Foxconn’s systems and was already exfiltrating massive volumes of data before anyone noticed. The company’s Wisconsin facility — one of its most high-profile North American investments, built following a 2017 deal brokered during the Trump administration — became ground zero for the breach.

Foxconn, officially known as Hon Hai Precision Industry Co., is the world’s largest contract electronics manufacturer. The company builds hardware for virtually every major tech brand on the planet, including Apple’s iPhones, Nvidia’s AI accelerators, Google’s data center hardware, and Dell’s enterprise servers. That manufacturing relationship requires Foxconn to hold extraordinarily sensitive technical documentation — the kind that threat actors like Nitrogen would pay handsomely for or leverage for extortion.

Cybersecurity researchers at The Register and TechCrunch were among the first to obtain details about the attack. According to reports, Nitrogen used double-extortion tactics: first encrypting files to disrupt operations, then exfiltrating data to use as leverage. When Foxconn reportedly refused to pay the ransom, Nitrogen began leaking samples of the stolen data to prove they had it.

Who Is Nitrogen? The Ransomware Group Behind the Foxconn Attack

Nitrogen is a relatively new but increasingly dangerous ransomware operation. The group first gained attention in September 2024 when they used malicious advertising — so-called “malvertising” — to distribute their initial access malware. Since then, they’ve rapidly evolved into a sophisticated double-extortion operation that punches well above its weight class.

The group’s modus operandi involves initial access through phishing or malvertising, followed by deployment of a custom backdoor to establish persistence, lateral movement through corporate networks, mass data exfiltration, and finally ransomware deployment. By the time most organizations realize what’s happening, Nitrogen has already taken everything valuable.

Nitrogen is known for targeting large enterprises with valuable intellectual property — exactly the kind of data Foxconn holds. The Foxconn attack fits their profile perfectly: a high-value target with global supply chain implications and enormous pressure to avoid public disclosure. As we’ve seen with other major cybersecurity incidents in 2026, threat actors are increasingly targeting supply chain nodes rather than end targets because the leverage is so much greater.

8TB, 11 Million Files: What Was Allegedly Stolen

Nitrogen claims to have exfiltrated 8 terabytes of data — approximately 11 million files — from Foxconn’s systems. The data allegedly includes:

• Confidential product schematics from Apple, Nvidia, Google, Dell, and Intel
• Manufacturing process documentation including quality control protocols
• Internal project management files and production schedules
• Supply chain data including vendor information and pricing
• Personnel records from Foxconn employees

Nitrogen published samples of the stolen data on their dark web leak site to prove authenticity. Cybersecurity analysts who reviewed these samples noted that while the data appears genuine, the most sensitive Apple-specific documentation — device engineering schematics, development timelines, and quality assurance protocols — does not appear to be in the sample set. This has led to speculation that either Apple compartmentalizes its data differently within Foxconn’s systems, or that Nitrogen is holding back the most valuable material.

The sheer volume of data — 8TB — is staggering. For context, that’s roughly equivalent to 2,000 hours of HD video, or the complete text of approximately 8 million books. Moving that much data out of a corporate network without triggering security alerts requires significant technical sophistication and, often, extended access to the network over days or weeks.

Apple and Nvidia: How Exposed Are They Really?

Apple issued no public comment on the Foxconn breach, which is consistent with their standard policy of not commenting on security incidents at suppliers. However, multiple analysts reviewed the data samples Nitrogen published and reached a tentative conclusion: the Apple-specific files in the sample don’t appear to include top-tier schematics or device development documentation. AppleInsider reported that “Apple doesn’t appear to be at risk” based on sample analysis — but that assessment comes with significant caveats.

The problem is that Nitrogen is a double-extortion group. They’ve shown the world a small slice of what they claim to have. The full 8TB dataset — if it exists as described — could contain far more sensitive Apple material that simply wasn’t included in the public samples. Until a comprehensive forensic analysis of the complete dataset is possible, no one can say with certainty what Apple IP was compromised.

For Nvidia, the stakes are arguably even higher given the company’s current position as the linchpin of the global AI infrastructure buildout. As we covered in our deep dive on AI chip competition in 2026, Nvidia’s hardware designs are worth billions in competitive intelligence. If Nitrogen has genuine Nvidia schematics, those files could be worth more on the cybercrime market than the ransom demand itself.

Google and Dell have similarly stayed quiet, with Dell acknowledging they’re “aware of reports” and investigating. Intel has not commented.

The Bigger Picture: Supply Chain Under Siege in 2026

The Foxconn ransomware attack is not happening in isolation. It’s the latest in a pattern of supply chain attacks that cybersecurity experts have been warning about for years. When threat actors can’t breach Apple or Google directly — both of which have world-class security teams — they go after the manufacturers, contractors, and suppliers who hold those companies’ most sensitive technical data.

This is exactly why Mandiant’s 2026 M-Trends report warned about AI-assisted attacks targeting supply chain vulnerabilities. The sophistication of groups like Nitrogen is increasing rapidly, and their targeting is becoming increasingly strategic. Foxconn was not a random victim — it was a calculated choice designed to maximize leverage across multiple Fortune 500 companies simultaneously.

The geopolitical dimensions also matter. Foxconn has complex relationships with multiple governments, particularly the US and Taiwan, and the data stolen from its systems could be valuable not just to cybercriminals but to nation-state actors. Whether Nitrogen is purely financially motivated or has state-level backing is a question that investigators are actively examining.

Consider what’s happened to enterprise security in 2026: 44,000 servers breached via cPanel vulnerabilities, critical zero-days in Palo Alto and SharePoint, and now Foxconn. The volume and scale of attacks against critical infrastructure and supply chains is accelerating at a pace that defenders are struggling to match.

What Organizations Should Do Right Now

If your organization works with Foxconn — or any large contract manufacturer — here’s what the Nitrogen ransomware attack means for you practically:

Audit your data sharing agreements. What documentation does your contract manufacturer hold? Under what conditions is it stored? How is it protected? Most companies haven’t reviewed these agreements since they were signed, and threat actors like Nitrogen are counting on exactly that kind of complacency.

Implement supply chain security monitoring. Waiting for your supplier to tell you about a breach — as Apple and Nvidia apparently had to do with Foxconn — is not a security strategy. Third-party risk monitoring tools can flag abnormal network activity at supplier facilities before data is exfiltrated.

Assume your data is out there. Given the scale of the alleged theft, companies whose data was potentially stored in Foxconn’s systems should treat this as a potential breach of their own IP. That means engaging forensic teams, reviewing what data was shared with Foxconn, and assessing what a leak would mean for ongoing product development.

Segment sensitive IP storage. The most critical technical documentation should never be accessible from a broad shared network. Air-gapped systems, strict access controls, and need-to-know data compartmentalization would have significantly limited what Nitrogen could exfiltrate even with network access.

The Foxconn ransomware attack is a wake-up call that’s going to be ignored by most organizations until it’s too late. Nitrogen has demonstrated that supply chain targets are gold mines — expect them and groups like them to hit more manufacturers in the months ahead.

Sources: TechCrunch | The Register | Cybersecurity Dive | 9to5Mac | Cybernews