Novo Nordisk, the Danish pharmaceutical company best known for its diabetes and obesity drug portfolio, confirmed two separate intrusions in the span of days — one by a group calling itself FulcrumSec demanding $50 million, a second by an as-yet-unidentified actor demanding $25 million. Neither demand was paid, according to reporting by DataBreaches.net. The case is among the highest-profile double-extortion events recorded against a pharmaceutical target and arrives as ransomware groups increasingly treat life-sciences companies as high-value targets capable of absorbing eight-figure demands.
Two actors, one target
FulcrumSec published a detailed technical disclosure on its dark web leak site after DataBreaches.net first reported the intrusion. The group described the data it claimed to have exfiltrated and provided what it characterized as proof of access. The second actor contacted DataBreaches.net directly via Signal, asserting an independent compromise and a separate $25 million demand.
Whether the two intrusions share a common initial access vector has not been confirmed publicly. The possibility of two unrelated groups successfully breaching the same organization within a similar timeframe points to either a shared vulnerability that was exploited independently or — more concerning — the existence of an access broker who sold entry to multiple buyers.
What the non-payment decision signals
Novo Nordisk's decision not to pay either demand follows a pattern among larger enterprises that have invested in incident-response retainers and offline backup architectures capable of sustaining operations without capitulating to extortion. That calculus is harder for smaller organizations — including specialty pharmacies, pharmacy benefit managers, and regional health systems that sit inside pharmaceutical supply chains — where recovery timelines and disruption costs may favor payment even when policy discourages it.
The $75 million combined ask also illustrates how threat actors calibrate demands to perceived revenue. Novo Nordisk reported roughly $33 billion in net sales in 2024. Groups operating at this tier of targeting treat ransom demands as a percentage of revenue negotiation, not a flat-rate commodity crime.
Supply chain exposure for US healthcare
Novo Nordisk's US operations include manufacturing, distribution, and clinical partnerships that touch patient care directly. Any disruption to drug availability — particularly for GLP-1 medications already subject to supply constraints — carries downstream risk for prescribers and patients. US-based covered entities and business associates that rely on pharmaceutical manufacturers as part of their care delivery chain have limited contractual visibility into those manufacturers' security controls, a gap that ONC and HHS have not yet addressed through formal vendor-risk requirements.
Independent practices should treat this incident as a prompt to review which pharmaceutical data integrations — electronic prior authorization, e-prescribing networks, specialty pharmacy portals — connect to their EHR environments and what access those integrations carry. Credential segmentation and network monitoring at integration points are among the first controls that reduce lateral-movement risk if an upstream partner is compromised.
What this signals about the next 12 months
Pharmaceutical and life-sciences companies have historically been treated as secondary targets compared to hospital networks, but FulcrumSec's Novo Nordisk operation demonstrates that groups are now willing to invest in the reconnaissance and access development needed to target firms with multi-billion-dollar revenue. As GLP-1 drugs, oncology biologics, and AI-assisted drug discovery platforms raise the strategic value of pharmaceutical intellectual property, the threat-actor calculus will continue to shift toward this sector. Healthcare organizations that depend on pharmaceutical data feeds or specialty drug programs should expect the indirect exposure from pharma-sector intrusions to grow.