Key Highlights
- Cybercriminal organization FulcrumSec alleges it extracted more than 1.3 terabytes of sensitive information from Novo Nordisk following the pharmaceutical company’s rejection of a $25 million extortion payment.
- The purported stolen material encompasses source code, confidential pharmaceutical formulations, clinical research documentation, and proprietary artificial intelligence model data.
- According to FulcrumSec, initial system penetration occurred through a compromised GitHub access token identified in March, allowing extended network access exceeding two months.
- On June 11, Novo Nordisk publicly acknowledged a cybersecurity breach, verifying that intruders had penetrated select internal information technology infrastructure and accessed personal information.
- The cybercriminal collective now indicates it plans to pursue selective private transactions for portions of the compromised data, while pledging to protect patient records, employee information, and production-related files.
On June 11, Novo Nordisk officially acknowledged a cybersecurity breach, revealing that unauthorized parties had successfully penetrated a restricted set of internal information technology infrastructure. This public statement emerged several days after the ransomware and extortion collective known as FulcrumSec had reportedly maintained persistent access within the pharmaceutical giant’s digital environment for an extended period.
Shares of NVO were hovering near $66 when the company made its initial breach announcement. The stock has experienced downward momentum over recent months, and this cybersecurity incident introduces additional concerns for investors.
According to FulcrumSec’s account, their initial penetration occurred via a compromised GitHub access token they discovered in March. This credential provided the attackers entry into internal code storage systems, which they subsequently exploited to harvest additional authentication credentials and expand their foothold throughout Novo Nordisk‘s infrastructure.
The group maintains it operated undetected within the corporate network for over two months. During this time, they claim to have exfiltrated approximately 1.3 terabytes of information encompassing more than 700,000 discrete files.
FulcrumSec initiated contact with unidentified Novo Nordisk executives, presenting a $25 million payment demand. Company representatives responded on June 3 — approximately 48 hours following the initial extortion attempt — utilizing a Proton Mail account to verify their identity. Subsequently, Novo Nordisk refused to submit payment.
Following the ransom refusal, FulcrumSec indicates it is now pursuing private sale opportunities for selected segments of the compromised data collection.
The cybercriminal organization informed Reuters it would actually favor public disclosure of the information, characterizing such action as “a more effective deterrent for future companies to avoid paying.”
Nature of Compromised Information
FulcrumSec asserts the exfiltrated materials encompass source code, confidential details regarding both currently marketed and developmental pharmaceutical products, clinical trial documentation, and information connected to Novo Nordisk’s production operations.
The group also claims possession of internal artificial intelligence model files. This particular element carries significance considering Novo Nordisk’s publicly announced collaboration with OpenAI, designed to incorporate AI capabilities throughout drug development, manufacturing processes, and business operations by the conclusion of 2026.
FulcrumSec maintains it will withhold specific data categories from release. These protected records include information pertaining to thousands of staff members and medical professionals, documentation concerning approximately 11,500 anonymized clinical trial participants, and operational technology documentation from Novo Nordisk’s manufacturing sites.
The organization characterized this approach as aligned with its “harm-reduction strategy.”
Verification and Legitimacy Evaluation
Thomas Willkan, research director at cybersecurity organization Lab-1, informed Reuters that the collective is “usually quite legit in terms of both their capabilities and also their claims.” Willkan has maintained close surveillance of FulcrumSec activities since the group first surfaced in October 2025.
Reuters indicated it could not immediately authenticate the legitimacy of materials published by the cybercriminal group.
A Novo Nordisk representative stated the organization “is aware of claims that data allegedly copied externally without authorisation from our systems has been published online,” and verified communication with appropriate regulatory authorities.
DataBreaches.net published a report on June 15 indicating that FulcrumSec provided alleged communication records with Novo Nordisk commencing June 1, including a directory listing exceeding 700,000 items representing approximately 1.3 terabytes.
VX-Underground similarly issued a report on Monday regarding an unidentified threat actor compromising Novo Nordisk systems. FulcrumSec asserts its operation represents a distinct incident from that reported breach.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
