A notorious hack-and-leak crew has claimed credit for the recent breach at Novo Nordisk — and says it tried, and failed, to squeeze $25 million out of the Danish drugmaker.
FulcrumSec took credit for last week’s hack of the pharmaceuticals giant, according to Reuters. The group claims it spent more than two months inside Novo Nordisk’s networks before the company caught on.
The ransom demand reportedly went nowhere. Now FulcrumSec says it is weighing the sale of parts of the stolen data instead. The criminals said they made off with about 1.3TB across more than 700,000 files, including source code, data on released and unreleased drugs, trial data, and internal AI model information
Reuters could not verify the authenticity of the data, and Novo Nordisk has not confirmed FulcrumSec was behind the attack.
FulcrumSec says it is withholding data on thousands of employees and physicians, along with roughly 11,500 clinical trial patient records, as part of what it calls a “harm-reduction strategy.”
What Novo Nordisk has acknowledged is narrower.
In an 11 June disclosure, the company described an “IT security incident” involving unauthorized access to a limited number of internal IT systems and the theft of “non-public data.”
For those that don’t speak public relations, that means Novo Nordisk got hacked and had to submit a public data breach notification.
“While our investigation and response are ongoing, we have discovered that certain non-public data, including personal data, were copied externally without authorization. We are informing the impacted parties as appropriate,” the company said. “Our core business operations are not impacted and remain up and running.”
On the patient side, Novo Nordisk is playing down the risk.
In a message posted to its website (PDF), Novo Nordisk said the exposed clinical trial data consisted of pseudonymized data — patient ID numbers, year of birth, sex, biomarkers and lifestyle factors.
The more immediate risk may be to healthcare professionals rather than patients. Novo Nordisk told HCPs that exposed data may include names, registration numbers, email addresses, phone numbers, WhatsApp details and office locations.
The company said it has launched an investigation with outside cybersecurity experts, contacted relevant authorities and temporarily taken some internal IT systems offline as part of its response.
Researchers who have tracked FulcrumSec say the Novo Nordisk claims fit the group’s broader pattern: cloud access, rapid data theft and public pressure rather than traditional ransomware encryption.
MOXFIVE, which profiled FulcrumSec last week, described the group as an aggressive extortion crew focused on enterprise cloud environments, exposed credentials, misconfigured storage and public-facing applications. The firm said it has not observed ransomware binaries or file-encryption behavior across known FulcrumSec operations.
Novo Nordisk is warning potentially affected people to be wary of phishing by email, phone or WhatsApp — confirmation, if any were needed, that the stolen contact details are good enough to run scams with.
Thomas Wilkan, head of research at Lab-1, told Reuters the group is usually credible in both its capabilities and its claims.
FulcrumSec, for its part, told DataBreaches that Novo Nordisk was slow to respond and that it had finished copying data long before the company rotated any credentials — long enough, it claimed, to quietly compromise Novo Nordisk’s Okta and Hugging Face accounts, the latter a plausible route to the AI model data it says it holds.
FulcrumSec first surfaced in October 2025 and has since been tied to real damage, including the confirmed breach of LexisNexis and a 300GB theft from Australian fintech youX that hit more than 444,000 borrowers, according to breach intel firm Dataminr.
The social chatter around the incident has focused less on patient exposure and more on the apparent targeting of code repositories and intellectual property. One LinkedIn security thread of cybersecurity researcher Christoffer Silversparre, a commenter summed up the technical concerns bluntly: “Looks like they hit code repos again.”
That claim has been independently verified, and Reuters said it could not confirm the authenticity of the data FulcrumSec posted. However, the pattern is familiar: a fast-moving extortion group, an alleged GitHub access-token compromise, and a victim whose most valuable data includes drug research, clinical-trial records, source code and manufacturing-related information.
Shaun Nichols is an IT news journalist. He has spent nearly 20 years covering the industry with a specialty in the cybersecurity
