GLP-1, Novo Nordisk — Image by KK Stock | Shutterstock

Novo Nordisk hackers say they are now “exploring private sales” after the Ozempic and Wegovy maker reportedly declined to fork over a $25 million ransom to recover 1.3TB of clinical trial data allegedly stolen from its systems in March.

The announcement by cybercriminal group FulcrumSec comes just days after the pharmaceutical giant began notifying patients and healthcare providers (HCPs) of the massive data breach on June 11th.

Hackers claim Novo Nordisk refused to pay a $25 million ransom after they allegedly stole 1.3TB of company and clinical trial data.
The cybercriminals now say they are exploring private sales of the data, which allegedly includes drug research, source code, employee records, and AI assets.
The threat comes days after Novo Nordisk disclosed a cybersecurity incident and began notifying affected patients and healthcare providers.

Key Takeaways by nexos.ai, reviewed by Cybernews staff.

Novo Nordisk confirms patient data breach

Without listing the exact date of the breach, Novo Nordisk said it had recently discovered “unauthorized access to certain personal data” in a lengthy statement posted on its website last Thursday.

Labeling the leak an “IT Security Incident,” the Denmark‑based pharmaceutical company revealed that an unknown third party had “copied the non-public data externally without authorization.”

Novo Nordisk breach statement — Novo Nordisk disclosed an “IT Security Incident” involving unauthorized access to certain personal data. Image by Cybernews via novonordisk.com

"The incident affected a limited amount of information related to patients ⁠participating in some of our clinical trials," the drug company said, although it did not disclose what type of trials.

Novo Nordisk said the exposed patient data may include the following:

Patient ID (random alphanumeric string) and information on trial participation
Sex
Year of birth
Biomarkers
Health/immunogenicity data
Lifestyle factors, e.g. smoking, alcohol use, BMI

The global GLP-1 manufacturer stressed that the risk to patients is limited as the data was pseudonymized, meaning there are no direct personal identifiers linking patients to the trial information.

Core business operations were not impacted and remain up and running, it said.

medical patient records — Novo Nordisk says exposed clinical trial data may include biomarkers, health information, and lifestyle factors tied to study participants. Image by Tero Vesalainen | Shutterstock

Still, even without usable identifiers, Ross Filipek, CISO at Corsica Technologies, points out that health data can still carry long-term value when combined with other stolen information.

“When an ePHI breach does not include patient names, attackers may try to reverse-engineer identities by pairing details like birth date, postal code, or gender with outside data sources,” he said.

Additionally, Filipek says, “Attackers can use partial medical details to build convincing phishing messages, impersonate trusted organizations, or pressure people with information that feels deeply personal.

Novo Nordisk HQ — Novo Nordisk headquarters in Denmark. Image by Oleschwander | Shutterstock

The company also noted it is working with outside cybersecurity experts who have taken “multiple security measures,” including temporarily rendering the affected systems offline to prevent further damage while restoration continues.

Copies of the notice Novo Nordisk began sending out to patients and healthcare providers (HCPs) were also available for review.

Hackers turn to private sales after $25M ransom refusal

Founded in 1923, Novo Nordisk markets its products in more than 170 countries and employs 67,000 people worldwide. Its annual revenue in 2025 was about $47 billion.

Meanwhile, FulcrumSec, the threat actors claiming responsibility for the attack, say they spent more than two months inside Novo Nordisk's network before allegedly exfiltrating roughly 1.3TB of data spanning clinical trials, drug development programs, source code repositories, employee records, and proprietary artificial intelligence assets.

The attackers’ claims also extend far beyond the limited clinical trial data acknowledged by Novo Nordisk, with FulcrumSec alleging the cache includes information about secret drug programs and what it describes as "confidential recipes,” including manufacturing details tied to the company's GLP-1 pipeline.

FulcrumSec Novo Norddisk leak post — FulcrumSec claims it stole 1.3TB of data from Novo Nordisk. FulcrumSec leak site. Image by Cybernews.

After weeks of alleged communications with Novo Nordisk, FulcrumSec claims the pharmaceutical giant ultimately declined to pay a $25 million ransom demand to prevent the release of the stolen data.

The group says it had originally offered to withhold portions of the data and refrain from publicly releasing certain records if the company agreed to negotiate. According to the hackers, Novo Nordisk later confirmed it would not pay.

In response, FulcrumSec says it is now "exploring private sales" of some of the information allegedly taken during the breach.

The group claims the stolen data could be valuable to competitors because it allegedly contains proprietary drug research, internal AI models, manufacturing information, and details related to Novo Nordisk's future development pipeline.

hooded hacker — The hackers say they are now exploring private sales of allegedly stolen Novo Nordisk data. Image by GBJSTOCK | Shutterstock

Cybernews could not independently verify the group's claims, and Novo Nordisk has not publicly confirmed the scope of the data allegedly stolen by the attackers.

Filipek says the business and reputational fallout on Novo Nordisk could be extensive.

“Clinical trials depend on confidence from patients, providers, regulators, and research partners. Even a limited breach can create hesitation. If attackers had dwell time inside the environment, the concern shifts from data exposure to data integrity,” Filipek explains.

Check if your data has been leaked

Find out if your email, phone number or related personal information might have fallen into the wrong hands.

18,611,353,922

Breached accounts

36,030

Breached websites

Besides the exposure of intellectual property, Filipek says pharmaceutical organizations may also need to determine whether research data was altered and if regulatory obligations were triggered. “Active trials could also face delays while the incident is investigated,” he added.

What the attackers claim to have stolen

According to a more than 4,000 word leak manifesto published on its victim blog, the group claims to have obtained more than 700,000 files, including data tied to approximately 11,500 pseudonymized clinical trial participants, 163,000 employee records, thousands of source code repositories, and dozens of internal AI models and datasets.

The hackers also claim to have accessed information related to unreleased drug programs, proprietary manufacturing processes, and more than 41,000 experimental drug compounds.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

Besides listing the hordes of data it allegedly exfiltratred from Novo Nordisk, the hacker gang also took time to explain its motivation while taking cheap shots at the company’s so-called lax cybersecurity measures

Novo Nordisk spends “more on R&D in a quarter than most biotech companies raise in a lifetime. It remains astonishing to us that a $400 billion corporation with a dedicated cybersecurity division cannot be bothered to monitor their frontend bundles,” the group wrote.

The attackers also revealed what they claim are the rudimentary, once-encrypted plaintext passwords to the company's “pharmacovigilance middleware — the system that processes reports of patients dying, having strokes, going into comas, or attempting suicide while on their drugs.”

FulcrumSec Novo Nordisk hack proof — FulcrumSec claims compromising Novo Nordisk’s GitHub Personal Access Token (PAT) allowed them to “spider” throughout the company’s various cloud systems and access to “over a thousand private repositories.” FulcrumSec leak site. Image by Cybernews

"From those two credentials, we moved laterally through Novo’s Azure DevOps, GitHub, AWS, and HuggingFace environments over a period of over two months," they wrote, referring to the seemingly unfettered access to their cloud environment.

FulcrumSec did say it is withholding some of the most sensitive information – including healthcare provider records, certain patient-related data, and operational technology information tied to manufacturing systems – as part of what it describes as a "harm-reduction strategy."

Who is FulcrumSec?

FulcrumSec – apparently short for Fulcrum Security – is a relatively new cyber extortion crew that first surfaced in October 2025.

Unlike traditional ransomware gangs, some threat-intel trackers list FulcrumSec as a “data broker” style actor, meaning it primarily leaks or sells stolen datasets rather than deploying ransomware to encrypt victim systems.

Known for targeting “multimillion-dollar global corporations, who simply could not be bothered with basic security practices,” the self-proclaimed “threatspians” in March claimed responsibility for a major breach of the legal and data analytics giant LexisNexis.

LexisNexisBreachForumspost — FulcrumSec claimed responsibility for the LexisNexis breach on BreachForums in March 2026. Image by Cybernews.

The hackers allegedly exfiltrated roughly 3.9 million records from LexisNexis cloud environments, including profile data exposing 400,000 users, as well as a massive dataset of .gov email accounts linked to courts, federal agencies, and other public-sector institutions.

The FulcrumSec dark web leak site appears to favor a dramatic flair, mocking its victims by posting them under what it labels as “concept campaigns,” including “Index of Shame” and “Hardcoded Horror Show,” as well as the soon-to-be-functional emerging category for AI companies, “Slopocalypse Now.”

FulcrumSec leak site concept campiagns — FulcrumSec categorizes victims under themed "concept campaigns" such as The Hardcoded Horror Show and Index of Shame. Image by Cybernews

Researchers tracking the group have also said its claims should not be dismissed outright.

Thomas Willkan, head of research at cybersecurity firm Lab-1, told Reuters that FulcrumSec is "usually quite legit in terms of both their capabilities and also their claims."

Unlock more exclusive Cybernews content on YouTube.