Novo Nordisk Data Breach: Hackers Demanded $25M, Now Threaten to Sell Stolen Files

A cyber extortion group says it spent two months inside Novo Nordisk's network before walking away with more than a terabyte of company data — and is now weighing whether to sell it after the pharmaceutical giant refused to pay a $25 million ransom.

The group, known as FulcrumSec, went public on Tuesday with a lengthy statement posted to its own site, claiming the haul includes source code, details on both released and unreleased drugs, clinical trial records, internal AI model data, and information tied to employees, doctors, and patients.

Novo Nordisk — the Danish company behind blockbuster weight-loss and diabetes drugs Wegovy and Ozempic — had already confirmed on June 11 that it detected unauthorized access to a limited number of internal systems, including some personal data. In response to Tuesday's claims, a company spokesperson said Novo Nordisk is aware of the allegations, takes the matter seriously, has kept its core platforms running, and is working with the relevant authorities. Reuters reported it could not independently confirm whether the leaked files are genuine.

---

How the Extortion Attempt Unfolded

According to FulcrumSec's own account, shared with Reuters, the timeline played out over several weeks. The group says it first reached out to unnamed Novo Nordisk executives, and the company responded roughly two days later — on June 3 — using an anonymous Proton Mail address. To confirm they were actually speaking with Novo Nordisk staff, the hackers reportedly asked for specific internal files that only someone inside the company would have access to.

When the $25 million demand went unanswered, FulcrumSec says it began looking into "private sales" for portions of the data tied to specific drugs and other internal records.

A separate report from the cybersecurity blog DataBreaches.net adds more detail to the timeline: FulcrumSec told the outlet it first broke into Novo Nordisk's systems back in March, with the alleged correspondence with the company beginning June 1. That exchange reportedly referenced a file list exceeding 700,000 documents, totaling around 1.3 terabytes.

Notably, a separate hacking research site, VX-Underground, reported a different, unnamed attacker had also compromised Novo Nordisk around the same time — but FulcrumSec maintains its breach is unrelated to that incident.

---

What the Hackers Say They Won't Release

In an unusual move for an extortion group, FulcrumSec drew a line around certain categories of data. The group says it will withhold records covering thousands of employees and physicians, along with close to 11,500 clinical trial patients whose data had already been pseudonymised.

It also says it's holding back anything connected to the operational technology running Novo Nordisk's manufacturing equipment and sensors — citing what it called a "harm-reduction" approach.

Whether this is a genuine ethical line or a calculated PR move to appear more credible (and therefore more threatening) is impossible to verify independently. Either way, the selective withholding is part of a broader negotiating tactic increasingly common among data extortion groups: prove capability and access, then use restraint as leverage to seem trustworthy enough to negotiate with.

FulcrumSec also told Reuters it would rather not sell the stolen data outright. Publishing it openly, the group argued, sends a stronger warning to future targets considering whether to pay — essentially using public exposure as a deterrent strategy rather than a straightforward cash grab.

---

Who Is FulcrumSec?

FulcrumSec is a relatively new entrant in the cyber extortion space, first appearing in October 2025. Despite its short track record, the group has built a credible reputation in a short window.

Thomas Willkan, head of research at cybersecurity firm Lab-1, who has tracked the group closely, described FulcrumSec as generally reliable in both what it claims to have done and its technical ability to actually do it — a notable distinction in a space full of groups that exaggerate or fabricate breaches entirely.

---

Why This Breach Matters Beyond Novo Nordisk

This incident lands at the intersection of three things every company building or storing sensitive data should be paying close attention to in 2026.

Pharmaceutical data is now a prime target. Unreleased drug formulas, trial results, and proprietary research represent enormous competitive and financial value — arguably more valuable to a buyer on the black market than customer payment data. Companies sitting on this kind of IP face a fundamentally different threat calculus than typical SaaS or retail breaches.

AI model data is explicitly being targeted now. The inclusion of "internal AI model information" in FulcrumSec's claimed haul is a signal worth sitting with. As companies build proprietary AI systems trained on internal data, those models and their training pipelines are becoming high-value targets in their own right — not just the data sets that feed them.

Negotiation theatre is part of the playbook. The verification step, the selective withholding, the public statement explaining their reasoning — none of this is incidental. Modern extortion groups are running structured, almost corporate negotiation processes designed to maximize payout probability while managing public perception. Understanding this pattern helps security and legal teams anticipate what comes next when facing a similar incident.

For any company handling sensitive research, proprietary models, or regulated personal data, the Novo Nordisk case is a live example of how a breach unfolds in real time — from initial compromise, to ransom negotiation, to public exposure when payment doesn't happen.

---

What Happens Next

Novo Nordisk has not confirmed the authenticity of the leaked files, and Reuters was unable to independently verify them either. Whether the alleged data is genuine, partially genuine, or significantly exaggerated will likely become clearer if and when FulcrumSec follows through on its threat to begin private sales.

What's already clear is that the company is now managing a live security incident, a financial extortion threat, and a public credibility question simultaneously — three problems that, once public, tend to move on very different timelines.