Hacking ring seeks to extort Novo Nordisk after cyberattack
Details are starting to emerge of last week's cyberattack on Novo Nordisk, which now appears to have been a $25 million extortion attempt by hack-and-leak group FulcrumSec.
The cybercriminal network, which emerged at the end of 2025, specialises in breaching corporate cloud databases built on systems such as Amazon Web Services (AWS) or Microsoft Azure, downloading sensitive information, and then demanding money in exchange for not selling the data to a third party or making it public.
It has been reported that after the extortion attempt failed, it has offered the exfiltrated data available for sale via Dark Web channels.
The breach was disclosed by Novo Nordisk on 11th June, with the company saying data had been "copied externally without authorisation" – including patient information – and affected "a limited number of internal IT systems."
According to the DataBreaches.net blog, FulcrumSec claimed responsibility for the incident two days later, and said it had been accessing Novo Nordisk's systems since March using dormant access credentials. It also said it had been able to find additional credentials in the following two-and-a-half months – even after Novo Nordisk became aware of the breach – which allowed it to continue copying data.
The group maintains that it accessed source code and AI models, proprietary information on marketed and experimental drugs – including Amycretin and CagriSema for weight loss and diabetes – and clinical trial data, all of which could be of value to rival organisations.
It also claims to have lifted pseudonymised information on around 11,500 research subjects – which would not allow individuals to be identified unless the group also accessed a master key – along with data on healthcare professionals and company employees that, if genuine, raise serious privacy concerns.
The compromised studies, it said, included the SELECT, FLOW, SOUL, and FOCUS trials of GLP-1 agonist semaglutide, as well as the ONWARDS trial of long-acting insulin icodec and Mim8 on haemophilia A therapy denecimig.
Has there been a second breach?
DataBreaches said yesterday it had been contacted by another individual, going by TheUSERS007, who claims to have lifted data from Novo Nordisk in a second, unrelated cyberattack that focused on AI assets. So far, Novo Nordisk has not acknowledged the reports of a second breach.
A spokesman for Novo Nordisk told Reuters that it is "aware of claims that data allegedly copied externally without authorisation from our systems has been published online. We take this matter seriously and maintain continued operations of our main platforms. We are in contact with the relevant authorities."
