Threat Intelligence Very Bearish 9

FulcrumSec Spent 2 Months Inside Novo Nordisk Networks Before $25M Demand

· 4 min read · Verified by 2 sources · By Cyber Intelligence Brief Editorial
Share

Key Takeaways

  • Cybersecurity experts assess FulcrumSec as a serious threat actor, and its two-month dwell time inside Novo Nordisk before making a $25 million extortion demand reflects advanced persistent threat tactics.
  • The breach highlights growing risks to critical infrastructure and the evolution of cyber extortion with a harm-reduction narrative.

Mentioned

Novo Nordisk company NVO FulcrumSec organization Thomas Willkan person Lab-1 company

Key Intelligence

Key Facts

  1. 1FulcrumSec claims to have stolen more than 1 terabyte of data from Novo Nordisk after a two-month network intrusion.
  2. 2The stolen data includes source code, proprietary drug information (released and unreleased), clinical trial data, employee/physician/patient records, AI model details, and production facility operational technology.
  3. 3The group demanded a $25 million ransom payment, which Novo Nordisk refused; FulcrumSec is now exploring private sales of certain drug-related data.
  4. 4Novo Nordisk disclosed a cybersecurity incident on June 11, acknowledging unauthorized access to a limited number of internal IT systems and the exposure of some personal data.
  5. 5FulcrumSec says it will withhold data on 11,500 clinical trial patients, thousands of employees and physicians, and operational technology software as part of a harm-reduction policy.
  6. 6Thomas Willkan, head of research at Lab-1, stated FulcrumSec is “usually quite legit in terms of both their capabilities and also their claims,” lending credibility to the breach assertion.

FulcrumSec is "usually quite legit in terms of both their capabilities and also their claims."

Thomas Willkan Head of Research, Lab-1

Assessing FulcrumSec's claims after the Novo Nordisk breach

Analysis

For cybersecurity professionals, the FulcrumSec breach of Novo Nordisk is a case study in modern cyber extortion: a two-month dwell time, the theft of over a terabyte of data, and a demand for $25 million. The group’s decision to withhold certain sensitive data under a harm-reduction policy adds a nuanced layer to the typical ransomware playbook, signaling a shift in extortionists’ public relations strategies. Lab-1’s Thomas Willkan confirmed FulcrumSec’s track record is credible, making this an incident to study for TTPs.

A cyber extortion group known as FulcrumSec has publicly claimed to have stolen more than a terabyte of data from pharmaceutical giant Novo Nordisk, demanding $25 million in ransom. The group, which first appeared in October 2025 and has been described by security researchers as credible in both capabilities and claims, says it spent over two months inside Novo Nordisk’s networks exfiltrating a broad range of sensitive information. The stolen data reportedly includes company source code, proprietary details on released and unreleased drugs, clinical trial data, personal information on employees, physicians, and roughly 11,500 pseudonymised patients, as well as information about production facilities and internal AI models. After Novo Nordisk refused to pay, FulcrumSec said it is exploring private sales of certain drug-related data and may open-source the remainder as a deterrent tactic.

For cybersecurity professionals, the FulcrumSec breach of Novo Nordisk is a case study in modern cyber extortion: a two-month dwell time, the theft of over a terabyte of data, and a demand for $25 million.

The incident first came to light when Novo Nordisk disclosed a cybersecurity breach on June 11 that it characterized as unauthorized access to a limited number of internal IT systems involving some personal data. FulcrumSec, however, paints a far more extensive picture. In a message posted on its site on June 16 and in subsequent email exchanges with Reuters, the group detailed a timeline that suggests initial contact was made with unnamed executives around June 1, with the company responding two days later via a Proton Mail address for verification. Novo Nordisk confirmed to Reuters that it is aware of the published claims and is coordinating with authorities, but would not comment further on the scale of the breach.

The implications for Novo Nordisk are severe. The company, best known for its blockbuster obesity and diabetes treatments, faces not only potential regulatory penalties under GDPR and other data protection laws but also the risk that proprietary research could fall into competitors’ hands. While FulcrumSec says it will withhold employee, physician, and patient data as part of a “harm-reduction strategy,” the release or sale of drug-related intellectual property could undermine years of R&D investment. Thomas Willkan, head of research at cybersecurity firm Lab-1, who has tracked FulcrumSec closely, noted that the group’s claims are usually legitimate, adding credibility to the threat.

From a broader sector perspective, this incident underscores the growing targeting of pharmaceutical companies by sophisticated cyber extortion groups. The stolen data categories—ranging from unreleased drug information to internal AI models—reflect an understanding of which assets hold the most value, both for ransom leverage and for potential resale. The two-month dwell time indicates careful planning and a high degree of network penetration, likely evading detection while systematically mapping and exfiltrating data. FulcrumSec’s public stance on harm reduction is a notable evolution in extortion tactics; by selectively withholding certain data, the group seeks to differentiate itself and possibly apply moral pressure while still maximizing profitability.

What to Watch

The theft of AI model information is particularly troubling given the pharmaceutical industry’s increasing reliance on machine learning for drug discovery and process optimization. If the exfiltrated models contain proprietary algorithms or training data, competitors or state-sponsored actors could gain a shortcut to Novo Nordisk’s innovations. Additionally, the inclusion of operational technology and software used to interact with sensors and machinery at production facilities raises the specter of industrial sabotage, though FulcrumSec has pledged not to release that data.

Looking ahead, the incident is likely to spur regulatory scrutiny and force a reevaluation of cybersecurity budgets across the pharma sector. With FulcrumSec still active and threatening to sell data privately, Novo Nordisk faces ongoing uncertainty. The market reaction—reflected in a modest decline in Novo Nordisk’s share price—suggests investors are weighing the potential long-term damage against the company’s robust fundamentals. How Novo handles the post-breach response, including its transparency with patients and partners, will be critical in shaping its reputation and legal exposure.

Timeline

Timeline

  1. FulcrumSec Emerges

  2. Initial Extortion Contact

  3. Novo Nordisk Responds

  4. Company Discloses Breach

  5. FulcrumSec Goes Public

Related Stories

Threat Intelligence

Connected cars harvest 2TB daily, ASIO warns of 'spy car' eavesdropping

ASIO’s alert reveals that modern vehicles are data-harvesting machines, with sensors generating up to 2 terabytes of raw data every day. The cybersecurity implications are profound: unencrypted telemetry, biometric data sharing, and always-on microphones create an attack surface that threat actors—including nation-states—can exploit.

Threat Intelligence

5 GB Data Theft Claimed in Iran-Linked Hack on 6 California Water Systems

Iran-linked group Handala claims it breached six California water utilities, posting screenshots and alleging 5 GB of exfiltrated data as retaliation for a US strike. Experts dismiss the claim as a psychological operation, but the incident highlights the persistent threat to critical infrastructure.

Threat Intelligence

US Orders Anthropic to Block 2 AI Models from Foreign Access Over Cyber Threat

The US government has forced Anthropic to cut off foreign access to its Fable 5 and Mythos 5 AI models, citing the risk of them becoming cyberweapons. The sudden ban disrupts global vulnerability research and underscores the escalating dual-use dilemma in AI-driven cybersecurity.

Threat Intelligence

Doxxing via Lecture Hall: 971 Students Fuel Cyber Attacks

A professor’s account shows how classroom recordings become the first stage of a cyber kill chain: covert capture, viral launch, doxxing, and harassment. The education sector must treat these threats as serious cybersecurity incidents.

How we covered this story

Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.

Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.

Signal on this pageWhat it tells you
Verified by N sourcesIndependent corroboration count. N≥2 is our confidence floor; N=1 is marked explicitly.
Impact score (1-10)Regulatory + financial + operational weight. 8+ signals an experienced-operator action item.
SentimentFive-tier classification trained on labeled cybersecurity-specific corpora.
TimelineWhere applicable, the related-events sequence that contextualizes today's development.