Nitrogen Invades Foxconn: Apple Server Schematics Confirmed Among 8 TB Stolen

On 11 May 2026, the Nitrogen ransomware group published on its dark web leak site a claim of responsibility for the attack on Foxconn Technology Group, the world's largest contract electronics manufacturer. Foxconn confirmed the incident the following day, stating that "some of its factories in North America suffered a cyberattack" and that the cybersecurity team activated internal containment procedures immediately. On 20 May, AppleInsider confirmed that schematics for Apple servers are among the material exfiltrated by the group, making concrete what had previously been allegations from the attacker itself.

Nitrogen claims to have exfiltrated 8 TB of data spread across more than 11 million files. The material includes confidential technical instructions, internal project documentation, and technical drawings related to products from Apple, Google, Nvidia, Intel, and Dell. The affected facilities, according to multiple specialised security outlets, include factories in Wisconsin and Texas, central components of the company's North American contract manufacturing operation. The concentration of intellectual property from five major tech companies in a single exfiltration event is unusual even by standards of incidents with contract manufacturers, where the usual attack vector compromises data from a single client at a time.

Who is Nitrogen and How Does it Operate

Nitrogen is a group active since 2023, built on the source code of the Conti 2 builder, leaked after the dissolution of the original group in the same year. Researchers have identified operational links with the ALPHV/BlackCat ecosystem, one of the most lucrative ransomware-as-a-service groups before its dismantling in 2024. The adopted model is double extortion: encrypting the victim's systems combined with prior data exfiltration, creating two independent coercion levers unrelated to the decision to pay.

The group's history of attacks on Foxconn follows a pattern of recurrence that deserves attention. In 2022, LockBit compromised a subsidiary in Mexico. In 2024, the same group attacked Foxsemicon Integrated Technology, the semiconductor division of the holding company. The incident in May 2026 marks the third confirmed ransomware attack against entities in the group within four years, signalling persistent targeting of this manufacturing chain.

What the Apple Schematics Expose

Technical drawings and hardware schematics represent the most sensitive category of intellectual property that a contract manufacturer holds. Unlike access credentials, whose damage can be contained by password rotation, schematics describe component geometries, manufacturing tolerances, and circuit architecture, with a lifespan that can extend for decades. For the Apple server schematics confirmed by AppleInsider, the exposure may involve information about custom processing hardware, including configurations of platform based on the M-series chips still in development or nearing release.

In addition to the implications for intellectual property, some designs of semiconductors and high-performance server components are subject to the United States' Export Administration Regulations (EAR). Foxconn and the affected customers will need to assess whether the exfiltration triggers reporting obligations with the Bureau of Industry and Security (BIS), adding to the notifications already required by privacy regulations and by supply contracts with US government agencies. A forensic analysis of the leaked documents, conducted independently by each client company, will be the necessary step to determine the actual exposure and applicable regulatory timelines.

Fragmented Response and Uncertainty Regarding Scope

Foxconn informed the press that the affected factories are resuming normal operations, without detailing the entry vector used by Nitrogen, the encrypted systems, or confirming the full authenticity of the released material. Apple, Google, Nvidia, Dell, and Intel have not issued public statements on the incident as of the time of publication.

The absence of statements from the five companies whose projects appear in the leaked material should not be interpreted as a lack of internal action, but the public management of the incident by Foxconn's clients will be closely monitored by risk analysts, cyber insurance providers renewing policies for the manufacturing sector, and export regulators. Prolonged silence in incidents with this type of IP exposure tends to be interpreted as an unfavourable indicator in third-party evaluations and contractual compliance audits.