Nitrogen Claims Foxconn Wisconsin Breach Exposed 8TB of AI Manufacturing Data
Foxconn said operational IT issues disrupted its Mount Pleasant, Wisconsin campus, where workers reported a broad network outage affecting Wi‑Fi, core infrastructure, and timekeeping systems as production was gradually restored. The Nitrogen ransomware group later claimed responsibility on its extortion site, alleging it stole 8TB of data spanning more than 11 million files from the Racine County facility, including assembly instructions, hardware schematics, and data center topology diagrams tied to customers such as Apple, Intel, Google, NVIDIA, and Dell. Foxconn has not verified the authenticity of the leaked samples or disclosed any ransom demand, and reports said the incident may also have affected a Foxconn site in Houston.
The claimed breach adds to a pattern of ransomware incidents affecting Foxconn manufacturing operations. In 2022, Foxconn confirmed a ransomware attack at its Tijuana, Mexico plant that disrupted production and was claimed by LockBit, with the company saying recovery was underway and overall business impact would be limited. That attack followed a 2020 intrusion at Foxconn’s Ciudad Juárez facility attributed to DoppelPaymer, underscoring repeated targeting of the company’s production sites and raising renewed supply-chain and industrial espionage concerns around its AI server and electronics manufacturing operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Foxconn acknowledges IT issues at Wisconsin facility
Foxconn confirmed operational IT issues at its Wisconsin site and said production was being gradually restored, but it did not verify the authenticity of the leaked samples or disclose any public ransom demand. The incident raised concerns about supply-chain and industrial espionage risks because the site supports AI server assembly and liquid-cooling testing.
Nitrogen claims Foxconn Wisconsin breach and 8TB data theft
By 2026-05-11, the Nitrogen ransomware group had listed Foxconn on its dark web extortion site, claiming it stole 8 terabytes of data comprising more than 11 million files from the company's Racine County, Wisconsin facility. The alleged haul included assembly instructions, hardware schematics, and data center topology diagrams tied to Apple, Intel, Google, NVIDIA, and Dell.
Network outage begins at Foxconn's Wisconsin Mount Pleasant campus
On 2026-05-01, Foxconn's Mount Pleasant, Wisconsin campus experienced a major outage, with workers reporting a full network collapse affecting Wi‑Fi, core infrastructure, and timekeeping systems. The disruption may also have affected a Foxconn facility in Houston, Texas.
Foxconn confirms late-May ransomware attack in Tijuana
On or around 2022-06-02, Foxconn confirmed that its Tijuana, Mexico production plant had been hit by a ransomware attack in late May. The company said its cybersecurity team was executing a recovery plan and that factory operations were gradually returning to normal with limited overall business impact.
LockBit claims ransomware attack on Foxconn's Tijuana factory
On 2022-05-31, the LockBit ransomware gang claimed responsibility for a ransomware attack on Foxconn's strategic factory in Tijuana, Mexico. The group threatened to leak allegedly stolen data unless a ransom was paid by 2022-06-11.
DoppelPaymer claims attack on Foxconn's Ciudad Juárez plant
In December 2020, the DoppelPaymer ransomware group claimed it attacked Foxconn's CTBG MX facility in Ciudad Juárez, Mexico, and demanded $34 million. This was described as an earlier ransomware incident affecting Foxconn's Mexico operations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Foxconn Breach: Nitrogen Claims 8TB Theft from Wisconsin AI Plant | The CyberSec Guru
thecybersecguru.com
Open sourceFoxconn confirms ransomware attack disrupted production in Mexico
bleepingcomputer.com
Open sourceFoxconn: Mexico factory operations 'gradually returning to normal' after ransomware attack | The Record from Recorded Future News
therecord.media
Open sourceElectronics Giant Foxconn Latest Ransomware Victim | IndustryWeek
industryweek.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Foxconn Cyberattack Disrupts North American Factories as Nitrogen Claims Data Theft
Foxconn confirmed that a cyberattack affected several of its North American factories, disrupting operations and forcing some facilities to fall back to manual processes while incident response teams worked to restore systems. Reporting tied to a Wisconsin site said the intrusion caused Wi-Fi and network outages, impaired computer operations, and led employees to use paper-based workflows before some were sent home. Foxconn said it activated cybersecurity response and business continuity measures immediately and that impacted plants are resuming normal production and delivery operations. The **Nitrogen** ransomware group claimed responsibility, alleging it stole **8 TB** of data and more than **11 million documents**, including confidential material related to major technology customers such as **Apple, Intel, Google, Nvidia, and AMD**. Security researchers have described Nitrogen as a financially motivated group first seen in 2023, with ransomware built from leaked **Conti 2** code and earlier links to malware used to deploy **BlackCat/ALPHV**. The incident adds to a string of ransomware attacks previously disclosed by Foxconn, including cases tied to **LockBit** and **DoppelPaymer**.
May 14, 2026
LockBit Claims 5TB Data Theft in Ransomware Attack on Foxsemicon
Foxsemicon Integrated Technology Inc. (FITI), a Taiwanese semiconductor parts manufacturer affiliated with Hon Hai Technology Group, said it was hit by a ransomware attack that defaced its website and displayed a threat to leak allegedly stolen data. The attackers, identified in reporting as the **LockBit** ransomware gang, claimed they had stolen and encrypted **5TB** of company data, including customer and employee personal information, and warned they would publish it on a darknet leak site if a ransom was not paid. Foxsemicon told the Taiwan Stock Exchange it restored its website the same day it detected the incident, brought in security experts, and did not expect a significant impact on operations. The company did not disclose any ransom demand and had not confirmed whether customer or employee data was actually exfiltrated, while parts of its website reportedly remained inaccessible and search results continued to show the attackers' message. The incident stood out because website defacement is considered unusual for LockBit, which more commonly pressures victims through its extortion portal.
May 25, 2026
RansomHub Claims Breach of Apple Supplier Luxshare With Alleged Leak of Engineering and Supply-Chain Data
Apple manufacturing partner **Luxshare Precision Industry** was reportedly hit by a ransomware incident involving data theft and extortion, with internal documents allegedly published to pressure payment. Reporting indicates the exposed materials include sensitive operational information tied to Luxshare’s role in Apple’s supply chain (e.g., production workflows, security procedures, and supply-chain protocols), raising concerns about downstream risk to Apple-related manufacturing and repair operations. *Help Net Security* reports the **RansomHub** ransomware-as-a-service operation claimed responsibility, alleging affiliates stole and encrypted data and posted proof on its leak site. The group claimed the stolen archives include **3D CAD models**, engineering design/documentation, **2D manufacturing drawings**, and **PCB design/manufacturing data**, and asserted the data set contains information related to multiple Luxshare customers (including Apple and other major technology/automotive firms); third-party researchers cited in the report said the leak appears to include confidential Apple-Luxshare repair and shipping project details, while Luxshare had not publicly confirmed the breach at the time of reporting.
Mar 21, 2026