Foxconn is the type of target that is particularly attractive to ransomware and data extortionists, as it is a massive company with divisions and subsidiaries around the world that holds not only its own intellectual property but also the intellectual property of its customers. The company is a major manufacturing contractor for electronic components or entire devices, including Apple’s iPhones.
“Ransomware groups are increasingly targeting victims that can impact the supply chain, whether physical or software,” says Alan Liska, threat intelligence analyst at security firm Recorded Future. “So it is not surprising that a company like Foxconn would be targeted, as it manufactures and holds sensitive data for many companies around the world.”
The attackers, known as Nitrogen Group, listed Foxconn on their breach site on Monday. Nitrogen, which emerged in 2023, is not the most high-profile or prolific ransomware actor, but it has been consistently active with some spikes, including in late 2024. The group, which typically targets victims in North America and Western Europe, also has ties to the notorious ALPHV/BlackCat ransomware group.
“Although reports indicate Nitrogen has been active since 2023, our first observation of their activity was in 2024, targeting Control Panels USA,” says Ian Gray, vice president of intelligence at security company Flashpoint. “We have seen approximately 50 victims since launching, primarily targeting the manufacturing, technology, and retail sectors. Manufacturing is one of the most targeted sectors for ransomware in general.”
The idea of Foxconn as the main target is not just ideological. The company has faced several extortion attempts, including a December 2020 attack on a Mexican facility in which the DoppelPaymer ransomware group memorably demanded 1,804 Bitcoin (worth about $34 million at the time). Lockbit Group attacked another Foxconn facility in Mexico in May 2022 and disrupted production. Recently, Lockbit attacked its subsidiary called Foxsemicon Integrated Technology in 2024 with claims of extortion and data breach.
In addition to attempting to extort victims by threatening to release data stolen in an attack, Nitrogen also often deploys traditional ransomware that encrypts the target’s systems. Researchers say the group’s ransomware program was created from widely repurposed “Conti 2” code, but there’s a problem. Nitrogen’s encryption mechanism has a design flaw that makes it impossible to decrypt data once it’s encrypted – even if the attackers want to leave the victim’s system. It’s unclear whether this is a factor in Foxconn’s incident response this week.
Ransomware and data extortion is a serious digital security problem, and attackers regularly repeat targets and stoop to new lows in carrying out large-scale disruptive attacks. Just last week, thousands of schools across the US were brought to a halt amid finals and other year-end activities when education tech firm Instructables shut down access to its Canvas platform following a breach by extortion actors.
Updated at 6:15 pm ET on May 12, 2026 to include comment from Flashpoint’s Ian Gray.
<a href