Novo Nordisk Extortion Attempt: Hackers Demand $25 Million Ransom
data-breach security ai novo-nordisk ransomware
trending_up Trend: data-breach

Novo Nordisk Extortion Attempt: Hackers Demand $25 Million Ransom

calendar_month June 18, 2026

Novo Nordisk Extortion Attempt: Hackers Demand $25 Million Ransom

Summary

Danish pharmaceutical giant Novo Nordisk, widely known for its blockbuster weight-loss and diabetes drugs Ozempic and Wegovy, has fallen victim to a major cyberattack. The hacking group FulcrumSec claims to have exfiltrated approximately 1.3 terabytes of sensitive data and demanded a $25 million ransom. Novo Nordisk refused to pay, prompting the extortionists to begin leaking the stolen files. Concurrently, media confusion arose regarding a separate, massive database leak containing 24 billion credentials, which was incorrectly linked to the Novo Nordisk incident.

What happened?

On June 11, 2026, Novo Nordisk officially disclosed an IT security incident. The relatively new cyber-extortion group FulcrumSec claimed responsibility, stating they had maintained undetected access to the company’s network for over two months. During this time, they exfiltrated 1.3 terabytes of data. The group demanded $25 million to prevent the leak. After Novo Nordisk refused to negotiate or pay, FulcrumSec began posting proof-of-concept files on their leak site and announced plans to sell the intellectual property to third parties. Additionally, a second group named TheUSERS007 issued a separate $50 million demand, which was also ignored by the company.

Why it matters

This incident is highly significant for several key reasons:

  • Intellectual Property Threat: The stolen files reportedly contain proprietary manufacturing processes and molecular formulas for Ozempic and Wegovy. Compromising this IP could undermine Novo Nordisk’s market dominance.
  • Theft of AI Models: FulcrumSec claims to have stolen around 30 trained AI models and datasets used for drug discovery. This highlights a shift toward targeting advanced research assets rather than just administrative data.
  • Disentangling Trends: The breach coincided with news of a colossal 24-billion-record credential database discovery. These two distinct security events were conflated in online discussions and headlines, generating widespread confusion.

Evidence

  • Company Statement: Novo Nordisk confirmed on June 11, 2026, that unauthorized access was gained to a limited number of internal IT systems.
  • Hacker Activities: FulcrumSec has published sample files to the dark web and is actively seeking private buyers for the remaining dataset.
  • Media Reporting: Industry outlets such as FiercePharma, SecurityWeek, and Cybernews have extensively documented the ransom demands and clarified the separation between the breach and the credential aggregation leak.

Analysis

Novo Nordisk’s decision to refuse the $25 million ransom aligns with standard cybersecurity guidance, yet it exposes the company to long-term risks. If competitors or state-backed entities purchase the proprietary formulas, it could accelerate the development of generic alternatives. Furthermore, the theft of AI models represents a new frontier in corporate espionage. Pharmaceutical companies must evolve their security postures to treat proprietary algorithms, model weights, and drug discovery datasets as highly classified, isolated assets.

Practical Takeaways

  • Targeting of the Biotech Sector: Highly profitable pharmaceutical companies remain prime targets for sophisticated ransomware groups due to the extreme value of their intellectual property.
  • Securing AI Infrastructure: Machine learning pipelines, dataset stores, and trained model weights must be categorized as critical intellectual property and secured with strict access controls.
  • Fact-Checking Breach Reports: Security teams and media relations must act quickly during incidents to clarify facts and prevent unrelated global trends from being falsely attributed to their organization.

Open Questions

  • How much pseudonymized clinical trial and patient data was actually compromised during the network intrusion?
  • Will FulcrumSec find willing buyers for the stolen Ozempic formulas and AI models on the dark web?
  • What specific security vulnerabilities allowed the attackers to dwell undetected within Novo Nordisk’s systems for two months?

Sources

  1. FiercePharma: Novo’s security breach claimed by hacking groups
  2. SecurityWeek: Cyber-Extortionists Target Novo Nordisk
  3. Cybernews: Novo Nordisk Breach and the 24 Billion Records Confusion
  4. Heise Online: Sicherheitsvorfall bei Ozempic-Hersteller Novo Nordisk
  5. Reddit Technology: Discussion on the Colossal Breach