The Nitrogen ransomware group has listed Foxconn on its dark web extortion site, claiming it stole 8 terabytes of data from the electronics manufacturer’s facility in Racine County, Wisconsin. The group says the haul includes over 11 million files. Among them were assembly instructions, data center diagrams, and hardware schematics tied to Apple, Intel, Google, NVIDIA, and Dell.
Foxconn has confirmed “IT systems issues” at the site and says it has activated emergency protocols. The company says production is in a “gradual restoration” phase.
What happened on the ground
The outage first surfaced on Friday, May 1, when workers at the Mount Pleasant campus reported a full network collapse. By 7:00 AM, Wi-Fi was gone. By 11:00 AM, the disruption had spread through core plant infrastructure.
“We were told to turn off our computers and not log back in under any circumstances,” said one worker, who asked not to be identified. “The timecard terminals were dead. We were filling out paper timesheets just to track our hours.”
Internal notices reviewed by investigators cited ongoing network problems through at least Tuesday, May 5. The facility had recently received an additional $569 million investment to ramp up AI server and cloud infrastructure production, and the outage hit in the middle of that build-out.
What Nitrogen is claiming
On May 11, Nitrogen published Foxconn on its leak site and released sample data to back the claim. Cybersecurity analysts who reviewed the samples say the files fall into three main categories:
- Step-by-step assembly guides for proprietary server hardware
- Network topology diagrams for Google and Intel data centers
- Design schematics for components linked to Apple, NVIDIA, and Dell
“The topology specs for Google and Intel are the real concern,” said Mark Henderson, an analyst at a cybersecurity firm that has been tracking the group. “These are architectural maps of live infrastructure. If they’re authentic, someone could use them to locate vulnerabilities – physical or digital, in data centers around the world.”
Foxconn has not confirmed whether any of the sample files are genuine. Apple, Google, Intel, NVIDIA, and Dell have not publicly commented.
How Nitrogen operates
Nitrogen is not a smash-and-grab operation. The group typically spends weeks inside a target’s network before triggering any visible disruption, prioritizing data exfiltration over immediate encryption. That approach gives them more leverage. By the time anyone notices, the files are already gone.
Entry points are usually compromised VPNs or remote desktop access, sometimes via phishing aimed at IT administrators with elevated privileges. Once inside, they move laterally to locate backup servers and file repositories, staging data quietly before making their presence known.
This isn’t the first time
Foxconn has been through this before. In November 2020, the DoppelPaymer gang hit a facility in Ciudad Juárez, Mexico, demanding $34 million and reportedly deleting 30TB of backup data. In May 2022, a separate ransomware attack disrupted production at the company’s Baja California plant in Tijuana.
Three attacks in six years, all targeting North American manufacturing sites, suggests Foxconn’s interconnected “Smart Manufacturing” network gives attackers more than one way in. The push toward IoT-integrated and cloud-connected production – what the industry calls Industry 4.0 has expanded that attack surface considerably.
The broader implications
This breach is happening against a specific backdrop. The Mount Pleasant facility is focused on AI server assembly and liquid-cooling testing, putting it at the center of domestic high-performance computing supply chains. If the stolen schematics are real, they don’t just represent a corporate espionage problem, they represent a shortcut for anyone trying to replicate hardware that took years and hundreds of millions of dollars to develop.
Whether Nitrogen sells the data, leaks it, or simply uses it as ransom leverage is still unclear. The group has not published a payment demand publicly.
On the consumer side, there’s no current evidence that personal data – Apple user accounts, Google account information, and similar was part of the exfiltration. The files appear to be industrial: blueprints, specs, internal documentation.
Foxconn’s statement
The company issued the following statement to Mike Beiermeister of TMJ4 News: “Recently, our IT systems in Wisconsin sites experienced a technical issue affecting operations. We immediately activated our emergency response mechanism and implemented a series of contingency measures to ensure the continuity of production and delivery, as well as the protection of data.”
That statement is fairly standard for a company managing an active incident. What it doesn’t address is whether any of the data Nitrogen claims to have is real, what the actual recovery timeline looks like, or whether the affected clients – Google, Intel, Apple, and others have been notified.
What to watch
This is a developing story. If Nitrogen releases additional data samples, or if any of the named companies confirm their files were among the stolen assets, the scope of this incident could widen considerably. The next few weeks will likely determine whether this stays a ransomware story or becomes something larger.
This article will be updated as new information becomes available.
