Foxconn Ransomware Attack Hits North American Factories

Foxconn, the world's largest contract electronics manufacturer, has confirmed a ransomware attack that disrupted production across multiple North American facilities. The Nitrogen ransomware group claimed responsibility on May 11, posting sample files to its dark web leak site and asserting it had extracted 8 terabytes of data, including confidential technical documents tied to some of the world's biggest technology companies.

Foxconn acknowledged the incident in a statement, saying its cybersecurity team "activated the response mechanism and implemented multiple operational measures to ensure the continuity of production and delivery." Affected factories, the company added, are currently resuming normal production. It declined to specify how many facilities were impacted.

Production Lines Down, Workers Sent Home

Before Foxconn confirmed the attack, employees at its Mount Pleasant, Wisconsin facility reported being sent home after widespread Wi-Fi and network outages disrupted operations. Computers were non-functional. Staff resorted to paper and pen to carry out basic tasks. Reports also identified the company's Houston, Texas site as affected.

Foxconn had initially described the disruptions as a "technical issue." The ransomware confirmation followed after Nitrogen posted its claim publicly.

The company operates factories across Wisconsin, Ohio, Texas, Virginia, and Indiana in the United States, with additional facilities spread across Mexico. Its North American footprint plays a central role inproducing high-end server hardware and AI infrastructure components, a significant part of Foxconn's current strategic direction, particularly at the Wisconsin site.

What Nitrogen Claims to Have Stolen

Nitrogen's claim goes well beyond encrypting systems. The group says it extracted more than 11 million files, including internal project documentation, technical drawings, confidential instructions, and schematic sconnected to major Foxconn clients. Named in those claims: Apple, Intel, Google, Dell, and Nvidia.

No client has publicly confirmed that its data was compromised. But the nature of the alleged theft, proprietary product documentation tied to multiple global technology brands, raises direct supply chain concerns. Foxconn manufactures components and systems across a vast client base. If technical schematics and project files related to those clients were genuinely taken, the exposure extends well beyond Foxconn's own operations.

Nitrogen has been active since at least September 2024, when it publicly claimed its first victims. The group favors deliberate, high-impact attacks over broad distribution, using encryption alongside data exfiltration to apply pressure and threatening public disclosure when ransom demands are not met. Initial access typically stems from exposed external services, stolen credentials, or phishing-related compromise rather than zero-day exploits. Once inside, Nitrogen disables backups, interferes with security tooling, and abuses legitimate system utilities to move through networks.

A Repeat Target With a Long Ransomware History

This is not the first time Foxconn has faced this kind of attack. The company has been hit multiple times across different subsidiaries and geographies over the past six years.

In December 2020, the DoppelPaymer group struck a Foxconn facility in Ciudad Juárez, Mexico. The attackers encrypted up to 1,400 servers, destroyed 20 to 30 terabytes of backup data, and demanded a ransom of roughly $34 million in Bitcoin. In May 2022, LockBit hit a Foxconn production plant in Baja California. In 2024, LockBit targeted Foxsemicon Integrated Technology, a semiconductor equipment subsidiary within the Foxconn group.

Now Nitrogen has struck the company's North American operations, and this time the disruption reached the factory floor in a way that visibly halted production.

Why Contract Manufacturers Are a Prime Ransomware Target

Foxconn's repeated targeting is not coincidental. The company reported $258.3 billion in revenue in 2025 and is considered the world's largest contract manufacturer of electronics, producing goods for Apple, Google, Microsoft, Cisco, and others. That scale, and the density of client relationships running through a single supply chain node, makes it exceptionally valuable to threat actors.

Ransomware groups understand this calculus. A successful attack on a major contract manufacturer creates multiple pressure points simultaneously: the manufacturer faces operational disruption and reputational damage, while its clients face potential exposure of their own proprietary data. Both dynamics increase the likelihood of a ransom payment.

Nitrogen is believed to be one of several ransomware operations that borrowed code from the leaked Conti 2 builder. There is also a technical complication specific to this attack. Researchers warned earlier this year that a programming error prevents Nitrogen's decryptor from recovering encrypted files on VMware ESXi systems, meaning that paying the ransom may not guarantee recovery.

Disclosure Gaps Leave Questions Open

Foxconn has confirmed the attack but provided limited detail. The number of factories affected, the scope of systems compromised, and the current status of the allegedly stolen data remain unaddressed publicly. No ransom figure has been disclosed.

The pattern of initial denial, quiet acknowledgment, and minimal disclosure is common in large-scale ransomware incidents, particularly when clients and regulators are watching. For the companies whose technical documentation Nitrogen claims to hold, the silence is unlikely to be reassuring.

Foxconn's situation is a direct illustration of a broader risk that security teams across the manufacturing sector are tracking: disruption no longer stays in IT. When ransomware takes down factory networks, production halts, workers go home, and supply chains stall. The operational blast radius of these attacks has expanded well beyond the data center.