Two unrelated threat actors each claimed to have separately breached Novo Nordisk, the Danish pharmaceutical manufacturer, and issued extortion demands totaling $75 million combined — $50 million from one group and $25 million from a second. According to reporting by DataBreaches.net, neither demand was met. The coincidence of two independent intrusion claims against the same high-value target in the same window is unusual and points to how aggressively pharmaceutical companies are being hunted by criminal actors operating without coordination.
What happened
The first actor, a group identifying itself as FulcrumSec, published a detailed account of its claimed intrusion on a dark web leak site, including specifics about data allegedly acquired during the breach. A second, unrelated actor then surfaced through the encrypted messaging application Signal, also claiming access to Novo Nordisk systems and issuing a separate demand.
DataBreaches.net, which was contacted directly by the second party, reported the claims as they emerged. Novo Nordisk has not, as of the published reporting, confirmed the nature or scope of either claimed intrusion publicly.
Why pharmaceutical targets attract overlapping attention
Pharmaceutical companies hold a combination of data types that make them attractive to multiple categories of threat actors simultaneously: proprietary drug development research, clinical trial participant data, employee health records, and large-scale supply chain relationships that create leverage points.
That two groups independently pursued the same target at roughly the same time is less a coincidence than a product of how threat actors select victims. High-revenue organizations with complex, globally distributed infrastructure tend to appear on multiple initial-access brokers' lists, and separate actors may purchase or independently discover access without awareness of each other's activity.
Novo Nordisk, as the manufacturer of high-demand GLP-1 medications and a company with extensive clinical trial infrastructure, fits the profile of an organization whose data would carry market value beyond a simple ransom payment — whether sold to competitors, nation-state actors, or used for follow-on fraud.
What independent practices should take from this
The Novo Nordisk situation involves a large multinational, but the structural conditions it illustrates apply at smaller scale to specialty practices and clinics that participate in clinical research, handle investigational drug data, or sit inside pharmaceutical supply chains as dispensing partners.
Practices in those relationships should consider:
- Third-party data exposure audits. Any organization receiving or transmitting clinical trial data should periodically verify what data it holds, where it is stored, and which external parties have access.
- Incident response planning for double and triple extortion. The pattern of multiple actors targeting the same organization simultaneously means a response plan built around a single negotiation track may be insufficient.
- Dark web monitoring for credential and data exposure. Organizations that appear on initial-access broker listings may face sequential intrusion attempts from buyers unaware of each other's activity.
What the non-payment signals
Both demands went unmet. While that outcome aligns with law enforcement guidance against paying ransoms, it does not mean the data was recovered or that publication was prevented — FulcrumSec proceeded with a detailed public disclosure on its leak site regardless of payment status.
The non-payment outcome is consistent with a broader shift among larger organizations toward treating extortion demands as a legal and reputational calculation rather than a technical one. For organizations with significant regulatory obligations — including pharmaceutical companies subject to FDA data integrity requirements and covered entities under HIPAA — the calculus increasingly favors non-payment, accepted breach notification costs, and litigation risk over funding criminal operations. Smaller practices facing similar demands often lack the legal and forensic infrastructure to make that calculation confidently, which remains a gap the industry has not adequately addressed.