FulcrumSec claims it breached Novo Nordisk networks and demanded $25 million ransom

Hacking group claims it breached Novo Nordisk and demanded $25m

FulcrumSec says it spent more than two months inside the drugmaker's networks. Novo Nordisk confirmed unauthorised access and refused to pay. A cyber-extortion group calling itself FulcrumSec said on Monday that it had stolen roughly 1.3 terabytes of data from Novo Nordisk, the Danish maker of the weight-loss drugs Wegovy and Ozempic, and had demanded $25 million to keep it private. Novo Nordisk did not pay. The group, by its own account, is now looking for buyers. The numbers in a breach like this are easy to recite and hard to feel. A terabyte and a third is a lot of files; the more telling figure is time. FulcrumSec claims it spent more than two months inside the company's networks before anyone moved it out, which is the part of the story that should worry a board more than the ransom note. Two months is not a smash-and-grab. What the group says it took reads like an index of everything a pharmaceutical company would least like to lose: source code, proprietary information on drugs both released and unreleased, clinical-trial data, records on employees, doctors and patients, details of manufacturing facilities, and material the group described as relating to the company's internal AI models. The breadth is the point. This was not a single database left exposed but, on FulcrumSec's telling, a long walk through the building. Novo Nordisk confirmed it had detected unauthorised access to certain internal IT systems and said it was responding to the incident. The company has not corroborated the volume of data the group claims, nor independently verified the specific categories of stolen material, and at the time of writing the details rest largely on FulcrumSec's own statements. After the company declined the demand, the group said it was exploring private sales of some of the data, including material tied to particular drugs. FulcrumSec is a relatively new name. It surfaced in October 2025 and has since followed the now-standard playbook of the double-extortion crews: get in, exfiltrate quietly, then threaten publication rather than bothering to encrypt. The model works because stolen healthcare and research data has durable value on criminal markets, useful for fraud, identity theft and targeted phishing long after the initial theft, a dynamic TNW has tracked across a string of healthcare breaches. The refusal to pay is the bet most security professionals would advise and the one that guarantees the next phase. Paying funds the next attack and offers no real assurance the data will be deleted; refusing means the material is likely to leak or sell. Whether to ban ransom payments outright is a question that has split the cybersecurity industry for years, and cases like this one are exactly why. For now, Novo Nordisk is in the uncomfortable position of having made the defensible choice and still facing the consequence. The ransom was declined. The data, if FulcrumSec is telling the truth, is on the market.

Hacking group claims major attack of Novo Nordisk and attempted $25 million extortion

A cyber extortion group claimed on Tuesday to have stolen more than a terabyte of data from pharmaceutical giant Novo Nordisk and said it is exploring selling parts of the data after unsuccessfully demanding $25 million from the company. FulcrumSec, a cyber extortion group that emerged in October 2025, said in a long message posted to its website that it spent more than two months in Novo Nordisk's networks stealing data. It said that data included company source code, proprietary information on released and unreleased drugs, trial data, data on employees, doctors and patients, information related to company processing facilities and internal AI model information. A Novo Nordisk spokesperson ⁠said in an email that the company "is aware of claims that data allegedly copied externally without authorisation from our systems has ⁠been published online. We take this matter seriously and maintain continued operations of our main platforms. We are in contact with the relevant authorities." The authenticity of the data posted by the hacking group could not be immediately verified. FulcrumSec said ⁠in an email that Novo Nordisk representatives contacted the group on June 3, roughly 48 hours after the group's initial contact to unnamed company executives. The company used ⁠a random Proton Mail email address to message email addresses that FulcrumSec used in its initial outreach, and confirmed it was the company by requesting specific files for verification only the company would know about. The FulcrumSec representative also said that the group would prefer not to sell data, "as open sourcing it is a more effective deterrent for future companies to avoid paying." The Danish company disclosed a cybersecurity incident on June 11 that it said involved unauthorized access to a limited number of internal IT systems that included access to certain personal data. FulcrumSec said that after Novo Nordisk refused to pay $25 million, it was "exploring private sales" for some of the data related to certain drugs and other internal data. Thomas Willkan, head of research at cybersecurity firm Lab-1, who has closely tracked FulcrumSec, said the hacking group is "usually quite legit in terms of both their capabilities and also their claims." FulcrumSec said it would not share some of the data it stole, including information on thousands of company employees and physicians, and roughly 11,500 clinical trial patients filed under pseudonyms. The group said it also would withhold data related to operational ⁠technology and software used to interact with sensors and machinery at Novo Nordisk production facilities as part of its "harm-reduction strategy." Novo Nordisk is known for its treatments for obesity and diabetes, notably Wegovy and Ozempic. DataBreaches.net, a blog focused on cybersecurity, ransomware and data extortion, reported on June 15 that FulcrumSec...