FulcrumSec Targets Novo Nordisk, Leaks Clinical and Research Data

Pierluigi Paganini
June 17, 2026

FulcrumSec leaked data stolen from Novo Nordisk, claiming to have exfiltrated 1.3TB, including clinical records and AI research assets.

On June 15, 2026, a data-theft extortion group calling itself FulcrumSec began leaking files from Novo Nordisk, the Danish maker of Ozempic and Wegovy, after the company refused a $25 million ransom demand. The attackers claimed access since March, opened a dialogue with Novo Nordisk on June 1, and started posting samples and a file tree once negotiations went nowhere.

Novo Nordisk has confirmed unauthorized access to a limited number of internal IT systems and exposure of pseudonymized clinical-trial data, though it hasn’t validated the full scope of what FulcrumSec claims to have taken.

“Novo Nordisk A/S recently identified an IT security incident involving unauthorised access to a limited number of internal IT systems.” reads the notice published by the company. “The incident included unauthorised access to certain personal data stored on the internal IT systems.”

The clinical data is the confirmed part. Exposed records include randomly assigned patient IDs, sex, year of birth, biomarkers, health and immunogenicity data, and lifestyle factors like BMI, smoking, and alcohol use.

“The incident affected a limited amount of information related to patients participating in some of our clinical trials. This information is not directly linked to any patients by name or other direct identifiers. Information about identity would therefore require access to underlying information, identifying patients by name etc.” continues the notice. “This information was not exposed. We therefore do not consider the incident to enable any third party to identify participants in our clinical trials.”

For healthcare providers, the situation is different: names, registration numbers, email addresses, phone numbers, WhatsApp details, and office locations may have been taken, and none of that is pseudonymized.

FulcrumSec’s inventory of what it actually stole goes well beyond patient records, and this is the part that should concern every pharma CISO. The group published a detailed list of Novo Nordisk’s internal AI and machine-learning assets: a 16.7 GB multimodal model checkpoint reportedly handling text, image, and transcriptomic data, around 407 MB of proprietary biological and chemical training datasets, roughly 50 MB of source code for an internal tool the group calls NovoPert, complete logs from 113 training runs, HPC infrastructure maps, Slurm scheduler configs, SSH settings, about 53 GB of internal container images, developer identities, and private GitHub URLs.

“Two very different kinds of data, and that is what makes this nasty. The first is the obvious target: clinical-trial information.” reads the report published by Ransomnews. “The second kind is the one that should make every pharma CISO sit up. FulcrumSec published a detailed inventory of Novo Nordisk’s internal AI and machine-learning assets: a 16.7 GB multimodal model checkpoint that reportedly handles text, image and transcriptomic data, around 407 MB of proprietary biological and chemical training datasets, roughly 50 MB of source code for an internal tool the group calls NovoPert, complete logs from 113 training runs, plus HPC infrastructure maps, Slurm scheduler configs, SSH settings, about 53 GB of internal container images, developer identities and private GitHub URLs. Novo Nordisk has not confirmed or denied the AI claims. If even part of that is genuine, this is not a data breach in the ordinary sense. It is the theft of a drug-discovery research programme.”

Novo Nordisk has neither confirmed nor denied the AI claims, which is the responsible position until forensics are complete, and also the position the company would choose regardless.

The AI theft claim matters more than it might sound.

“A model checkpoint plus its training data and pipeline code is the distilled output of years of that work, and unlike a stolen customer database it does not lose value when it leaks.” continues Ransomnews. “A competitor, or a state-backed lab, that gets hold of a trained multimodal model for biological data inherits capability, not just records.”

Novo Nordisk has backed Denmark’s first AI supercomputer and runs machine learning across drug discovery, molecular design, and trial optimization. If even part of FulcrumSec’s inventory is genuine, what was stolen isn’t a data breach in the ordinary sense. It’s the output of a research program.

FulcrumSec itself is worth understanding. The group runs a clearnet leak site at fulcrumsec.net and a Tor mirror and operates as a pure extortion operation with no file encryption. Ransomnews pulled the crew’s full record from Ransomtracker: 25 victims claimed in 2026, 21 of them landing in a single April dump of mid-tier targets. Novo Nordisk, listed June 16, is the only high-value name on the entire list and the biggest target the group has ever claimed. That April bulk dump followed by two months of silence followed by a single large target is a pattern worth noting: it suggests the crew had been working the Novo Nordisk intrusion for weeks while the April listings padded the public record.

The credential exposure data adds context. Running novonordisk.com through the Ransomnews Stealercheck tool against the infostealer log index returns 211 sets of employee credentials tied to novonordisk.com addresses, 580 logins captured directly on Novo Nordisk’s own pages, and 2,932 session cookies. Session cookies are the detail that matters most here: a stolen but still-valid cookie lets an attacker resume a logged-in session with no password and no multi-factor prompt.

“By the time a company lands on a leak site, the warning signs were usually sitting in stealer logs for weeks. Nobody was reading them.” states Ransomnews.

Novo Nordisk’s operational response has been competent. The company identified the unauthorized access on June 11-12, brought in external investigators, notified regulators and law enforcement, and confirmed that drug production and supply chains kept running throughout.

““As part of our response, multiple security measures have been taken, including temporarily taking certain internal IT systems offline to protect our environment.” concludes the company’s notice. “We are working to bring the affected systems back online in a controlled and safe manner; however, we acknowledge this process takes time. ““

The factories never stopped. The harder question is what happens to the AI models, because once a trained checkpoint is out in the world, no ransom payment and no court order puts it back.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon