Key Points
- A cybercriminal organization known as FulcrumSec alleges it extracted more than 1.3 terabytes of sensitive information from Novo Nordisk following the pharmaceutical giant’s refusal to pay a $25 million extortion demand.
- The allegedly compromised data encompasses source code, confidential pharmaceutical formulations, patient trial documentation, and proprietary artificial intelligence algorithms.
- According to FulcrumSec, infiltration occurred through a compromised GitHub authentication token found in March, allowing extended network access spanning over eight weeks.
- On June 11, Novo Nordisk publicly acknowledged a security breach, verifying that unauthorized parties accessed select internal technology infrastructure and sensitive personal information.
- The cybercriminal collective states it plans to pursue targeted private transactions for segments of the stolen information, while pledging to withhold patient records, personnel details, and production facility data.
On June 11, Novo Nordisk publicly acknowledged experiencing a cybersecurity compromise, stating that intruders had penetrated a restricted set of internal technology systems. This announcement followed months of unauthorized presence by FulcrumSec, a ransomware and data extortion collective, within the company’s digital infrastructure.
At the moment of public disclosure, NVO stock was hovering near the $66 mark. The pharmaceutical company’s shares have experienced downward momentum in recent trading periods, and this security incident introduces additional investor concerns.
According to FulcrumSec’s account, the initial breach vector was a GitHub authentication credential discovered during March. This compromised token provided entry to internal software repositories, enabling the extraction of supplementary access credentials that facilitated deeper system penetration.
The organization maintains it operated undetected within Novo Nordisk‘s network infrastructure for over 60 days. During this extended period, the group claims to have exfiltrated approximately 1.3 terabytes of information distributed across more than 700,000 discrete files.
FulcrumSec contacted unidentified executives at the pharmaceutical company with a $25 million payment demand. The corporation responded on June 3—approximately two days following the extortion attempt—utilizing a Proton Mail account to authenticate the communication channel. Subsequently, Novo Nordisk rejected the monetary demand.
Following the company’s refusal to negotiate, FulcrumSec indicates it is pursuing alternative monetization strategies through selective private transactions involving portions of the extracted dataset.
The cybercriminal group informed Reuters that public dissemination would be its preferred approach, characterizing such action as “a more effective deterrent for future companies to avoid paying.”
Contents of the Alleged Breach
FulcrumSec maintains the compromised files encompass software source code, confidential intelligence regarding both commercially available medications and developmental pipeline compounds, patient study documentation, and sensitive information connected to the company’s production operations.
Additionally, the group claims possession of internal machine learning and artificial intelligence system files. This assertion carries particular significance considering Novo Nordisk’s publicly announced collaboration with OpenAI, an initiative designed to embed AI capabilities throughout pharmaceutical research, production processes, and market operations with targeted completion by late 2026.
The collective asserts it will withhold specific data categories from publication. These protected classifications include personnel records affecting thousands of staff members and medical professionals, information concerning approximately 11,500 de-identified clinical trial participants, and operational technology documentation from manufacturing locations.
FulcrumSec characterized this selective withholding approach as implementing its “harm-reduction strategy.”
Verification and Credibility
Thomas Willkan, who directs research operations at cybersecurity organization Lab-1, informed Reuters that the group demonstrates reliability “usually quite legit in terms of both their capabilities and also their claims.” Willkan has maintained detailed surveillance of FulcrumSec activities since the organization first appeared in October 2025.
Reuters noted it could not independently authenticate the legitimacy of materials published by the cybercriminal organization.
A corporate representative from Novo Nordisk stated the organization “is aware of claims that data allegedly copied externally without authorisation from our systems has been published online,” and verified engagement with appropriate regulatory bodies.
DataBreaches.net documented on June 15 that FulcrumSec distributed supposed communication exchanges with Novo Nordisk beginning June 1, accompanied by a file inventory exceeding 700,000 entries representing roughly 1.3 terabytes of information.
VX-Underground additionally published reporting on Monday regarding an unidentified threat actor compromising Novo Nordisk systems. FulcrumSec maintains its intrusion represents a distinct incident from that reported breach.
