Foxconn, the world's largest contract electronics manufacturer and the company that builds Apple's iPhones, confirmed this week that a ransomware attack hit several of its North American factories. The Nitrogen ransomware group claimed responsibility, posting proof on its dark web leak site and threatening to publish 8 terabytes of stolen data comprising more than 11 million files.

The stolen data allegedly includes confidential product schematics, circuit board layouts, technical drawings, internal project documentation, and bank statements tied to projects at Apple, Nvidia, Intel, Google, Dell, and AMD. Nitrogen published sample files as proof. Foxconn has not confirmed whether customer data was actually taken and declined to answer specific questions.

The attack hit facilities in Mount Pleasant, Wisconsin, and Houston, Texas. Some employees were sent home. Others fell back on pen and paper while networks were restored. "The cybersecurity team immediately activated the response mechanism," a Foxconn spokesperson told BleepingComputer. "The affected factories are currently resuming normal production."

The Ransom You Cannot Pay

Here is the detail that makes this attack different from a standard ransomware shakedown. In February 2026, Coveware researchers published a warning that a programming error in Nitrogen's ESXi encryptor causes it to encrypt all files with the wrong public key. That means decryption is mathematically impossible, even if the victim pays the ransom and Nitrogen hands over a decryption key. The data is gone. Recovery depends entirely on backups.

Nitrogen operates as a double-extortion group: it encrypts victim systems and simultaneously steals data to threaten publication. The group is believed to be built on code from the leaked Conti 2 ransomware builder and is suspected of having links to the ALPHV/BlackCat ecosystem. It has been active since 2023, primarily targeting manufacturing, technology, and retail in North America and Western Europe. Flashpoint's Ian Gray told WIRED the firm has observed approximately 50 victims since the group launched.

Why Foxconn Is a Dream Target

Foxconn employs over 900,000 people across 240 facilities in 24 countries, with revenues exceeding $260 billion in 2025. Its customer list is effectively a who's-who of the entire technology industry. That makes it a honeypot: any attacker who gets in does not just get Foxconn's data. They potentially get Apple's, Nvidia's, Intel's, and Google's.

This is not Foxconn's first ransomware incident. DoppelPaymer hit a Mexican facility in December 2020, demanding $34 million in Bitcoin. LockBit struck another Mexican factory in May 2022 and disrupted production. LockBit also attacked a Foxconn subsidiary, Foxsemicon, in 2024. The company keeps getting hit because it keeps being worth hitting.

The timing is also relevant. This breach lands during the same week that Anthropic's Project Glasswing is demonstrating how AI can find thousands of zero-day vulnerabilities across enterprise infrastructure. The offensive and defensive AI cybersecurity arms race is no longer theoretical. It is playing out in real time, and the companies that build the world's hardware are squarely in the crossfire.

Sources: TechCrunch (Lorenzo Franceschi-Bicchierai, May 13), WIRED (Lily Hay Newman, May 12), BleepingComputer (May 12), The Register (May 12), Notebookcheck (Darryl Linington, May 14), Cybernews (May 13), Coveware (February 2026).