A cyber-extortion group calling itself FulcrumSec said on Monday that it had stolen roughly 1.3 terabytes of data from Novo Nordisk, the Danish maker of the weight-loss drugs Wegovy and Ozempic, and had demanded $25 million to keep it private. Novo Nordisk did not pay. The group, by its own account, is now looking for buyers.
The numbers in a breach like this are easy to recite and hard to feel. A terabyte and a third is a lot of files; the more telling figure is time. FulcrumSec claims it spent more than two months inside the company’s networks before anyone moved it out, which is the part of the story that should worry a board more than the ransom note. Two months is not a smash-and-grab.
What the group says it took reads like an index of everything a pharmaceutical company would least like to lose: source code, proprietary information on drugs both released and unreleased, clinical-trial data, records on employees, doctors and patients, details of manufacturing facilities, and material the group described as relating to the company’s internal AI models.
The breadth is the point. This was not a single database left exposed but, on FulcrumSec’s telling, a long walk through the building.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
Novo Nordisk confirmed it had detected unauthorised access to certain internal IT systems and said it was responding to the incident. The company has not corroborated the volume of data the group claims, nor independently verified the specific categories of stolen material, and at the time of writing the details rest largely on FulcrumSec’s own statements.
After the company declined the demand, the group said it was exploring private sales of some of the data, including material tied to particular drugs.
FulcrumSec is a relatively new name. It surfaced in October 2025 and has since followed the now-standard playbook of the double-extortion crews: get in, exfiltrate quietly, then threaten publication rather than bothering to encrypt.
The model works because stolen healthcare and research data has durable value on criminal markets, useful for fraud, identity theft and targeted phishing long after the initial theft, a dynamic TNW has tracked across a string of healthcare breaches.
The refusal to pay is the bet most security professionals would advise and the one that guarantees the next phase. Paying funds the next attack and offers no real assurance the data will be deleted; refusing means the material is likely to leak or sell.
Whether to ban ransom payments outright is a question that has split the cybersecurity industry for years, and cases like this one are exactly why.
For now, Novo Nordisk is in the uncomfortable position of having made the defensible choice and still facing the consequence. The ransom was declined. The data, if FulcrumSec is telling the truth, is on the market.
Get the TNW newsletter
Get the most important tech news in your inbox each week.