The Nitrogen ransomware group has listed Foxconn on its dark web extortion site, claiming to have stolen 8 terabytes of data, comprising over 11 million files, from the electronics manufacturer's AI server facility in Racine County, Wisconsin. The leaked sample data reportedly includes assembly instructions, data center topology diagrams, and hardware schematics tied to Apple, Intel, Google, NVIDIA, and Dell. Foxconn has confirmed "IT systems issues" at the Mount Pleasant campus and activated emergency protocols, with production now in a "gradual restoration" phase.

What Happened

The intrusion surfaced publicly on Friday, May 1, 2026, when workers at Foxconn's Mount Pleasant campus reported a full network collapse. Wi-Fi connectivity dropped by 7:00 AM, and by 11:00 AM the disruption had cascaded through core plant infrastructure. Employees were instructed to power down workstations and refrain from logging back in, while timecard terminals went offline, forcing staff to revert to paper timesheets to track hours. Internal notices reviewed by investigators indicate the network problems persisted through at least Tuesday, May 5. On May 11, Nitrogen formally posted Foxconn to its leak site, publishing sample files to substantiate the breach claim. The timing is particularly damaging: the facility had recently received an additional $569 million investment to scale AI server and cloud infrastructure production.

What Was Taken

Nitrogen claims a haul of 8 TB spanning more than 11 million files. Cybersecurity analysts who reviewed the sample drop describe three principal categories of data:

The topology documents are widely viewed as the most sensitive element of the leak. They reportedly map live hyperscaler infrastructure, which, if authentic, could provide adversaries with a blueprint for both physical and digital reconnaissance against named data centers. Foxconn has not confirmed authenticity of the samples, and Apple, Google, Intel, NVIDIA, and Dell have not issued public comments.

Why It Matters

Foxconn sits at the upstream end of the global compute supply chain. A breach at this tier is not contained to a single victim; the exfiltrated intellectual property and architectural documentation belong, by reference, to the customers whose hardware Foxconn builds. Authentic topology diagrams for Google and Intel facilities would represent some of the most consequential supply chain exposure of the year, equipping threat actors with intelligence relevant to nation-state targeting, industrial espionage, and physical security planning. The incident also lands during a politically and economically sensitive moment for the Mount Pleasant site, which was being scaled up specifically for AI server and cloud infrastructure manufacturing tied to the current generation of hyperscaler buildout.

The Attack Technique

Nitrogen is a data-extortion-forward operator that typically dwells inside target networks for weeks before triggering visible disruption, prioritizing bulk exfiltration over rapid encryption to maximize negotiating leverage. The group's historical entry vectors include compromised VPN appliances and remote access services, often paired with credential reuse or weak multi-factor configurations. By the time defenders observe operational impact, such as the network collapse seen at Mount Pleasant on May 1, the data has already left the environment. The volume claimed here, 8 TB across millions of files, is consistent with an extended dwell time and staged egress across multiple channels rather than a smash-and-grab encryption event.

What Organizations Should Do

Sources: Foxconn Breach: Nitrogen Claims 8TB Theft from Wisconsin AI Plant | The CyberSec Guru