11 Million Files Walked Out of Foxconn's Wisconsin Factory on May 1—Now Apple, Intel, Google, and Nvidia Schematics Are in a Ransomware Gang's Hands

A Quiet Wednesday Morning in Mount Pleasant

At 7 AM on May 1, the Wi-Fi went down inside Foxconn's Mount Pleasant, Wisconsin facility. By 11 AM, the core infrastructure was gone. Timecard terminals were dead. Workers grabbed clipboards and started writing their hours down on paper. One employee told reporters the factory "felt like the power had gone out, except all the lights were still on."

It would be nearly two weeks before the parent company confirmed publicly what had actually happened. On May 12, Foxconn acknowledged a cyberattack against its North American facilities. By then, a ransomware crew calling itself Nitrogen had already posted samples on its dark web leak site. Schematics. Bank statements. Internal project documentation. The post claimed eight terabytes total, across more than 11 million files.

Who Nitrogen Steals From

Foxconn does not build phones for one customer. It builds them for every customer. Apple, Google, Nvidia, Intel, Dell, Sony, and Microsoft all push designs through Foxconn's lines. If the criminal group's claims hold up, the haul includes confidential instructions, internal project documentation, and technical drawings tied to all of them.

The Mount Pleasant plant primarily manufactures televisions and data servers, not iPhones, and so far no Apple-specific materials have appeared in the sample drops. But Foxconn is one network. A breach at one facility puts every customer's contractual data at risk of lateral exposure.

The Houston facility was also hit. Foxconn's statement said affected factories were "currently resuming normal production" and that its cybersecurity team had "activated the response mechanism." The company did not confirm whether customer data was compromised, and did not respond to follow up questions about scope.

Nitrogen Is a Conti 2 Descendant

Nitrogen first surfaced in 2023, built on the leaked Conti 2 ransomware builder that has spawned at least a dozen successor groups since the original Russian speaking gang dissolved. Like most of Conti's heirs, Nitrogen runs a double extortion model: encrypt the victim's systems on one side, exfiltrate the data on the other, then run an auction if the ransom is not paid.

The group has hit dozens of corporate targets over the past two years, but Foxconn is by far the highest profile catch—Foxconn's revenue dwarfs the GDP of several small countries, and the supplier list above means any leaked design files cascade through the entire consumer electronics supply chain.

The Bug That Breaks Both Sides

There is one twist that should worry anyone considering payment. Three months ago, in February, Coveware researchers tore apart Nitrogen's ESXi encryptor and found a coding error that corrupts the public key before it is used for encryption. The variable holding the key sits at stack offset rsp+0x20. A second variable gets written to rsp+0x1c immediately after, overwriting four bytes of the key.

The encryption still runs. The files still get locked. But the key used in the exchange is now corrupted. Even if a victim pays the ransom and Nitrogen sends back the matching private key, decryption fails on every ESXi-encrypted file. The criminals cannot reverse what they did. Veeam and SOSRansomware both confirmed Coveware's findings independently.

For Foxconn, this matters less because the attack appears to be primarily a data theft operation rather than a full encryption event. Production was disrupted at two sites for days, but Foxconn says recovery is proceeding. For any other Nitrogen victim whose ESXi servers got hit, paying the ransom is officially pointless.

What Foxconn Is Not Saying

Foxconn's public statement is conspicuously narrow. The company acknowledges an incident. It confirms the affected facilities are resuming production. It does not confirm what data was taken, does not name the attacker, and does not address whether customers have been notified.

That silence has business consequences. Apple, Intel, Google, and Nvidia have all entrusted Foxconn with manufacturing data that, in some cases, is protected by NDAs predating products that have not yet been announced. If any of the documents Nitrogen has posted contain pre release product specifications, the downstream customers may have legal options against the supplier independent of the ransomware itself.

This is Foxconn's third disclosed ransomware incident. LockBit hit Foxconn facilities in 2022, and a separate attack hit the company's Mexican operations in 2020. Each time, the playbook has been the same: confirm minimally, attribute slowly, and let the news cycle move on. The 11 million-file claim is large enough that, this time, the cycle may not cooperate.

Why This Reaches Past Foxconn

A breach at a contract manufacturer behaves nothing like a breach at a software as a service vendor. The data Foxconn holds is physical: PCB layouts, mechanical drawings, firmware blobs, jigs, bills of materials. None of it can be revoked. If a competitor or state actor buys access to product schematics from Nitrogen's auction, the leaked designs are useful for years.

It also reaches into how every other manufacturer thinks about segmentation. Foxconn's footprint includes thousands of supplier and customer integrations. The fact that an attacker could grab eight terabytes from two North American sites and walk it out the door suggests segmentation between client environments inside Foxconn is not what it should be. Cushman & Wakefield's 50 GB Salesforce dump last week showed the same pattern at a real estate firm. The attackers do not need to break in everywhere—they break in once, then walk through to every connected tenant.

For the people who use the products Foxconn builds, the practical exposure is unchanged for now. Phones still work. TVs still work. But for the security teams at every Foxconn customer, the next few weeks involve scanning Nitrogen's leak site to see what shows up. Anything pre release that appears in those files is a problem that does not get patched by an over the air update.