Do Son 
Novo Nordisk, the Danish pharmaceutical giant behind semaglutide, the widely known anti-diabetic medication also used for weight loss, has fallen victim to a major hacking incident. Attackers stole an enormous volume of data from the company’s internal infrastructure, including fully trained AI models, proprietary datasets, complete training codebases, training logs, and container images. Novo Nordisk has confirmed the breach, acknowledging that some data tied to clinical trial patients was also stolen. The company has since notified Danish regulators and brought in outside cybersecurity experts to investigate.
What the Hackers Claim to Have Stolen
The attackers published a detailed overview of the data they say they successfully exfiltrated. A project codenamed Dragonfly accounts for 16.7GB, comprising a complete multimodal model supporting text, image, and transcriptomic data, ready for direct inference use. Novo Nordisk’s proprietary training datasets total roughly 407MB, covering specialized biological and chemical data used to train these models. The complete source code, around 50MB, includes model classes, configuration files, forward-pass logic, loss calculations, and other components of the training pipeline.
The stolen materials also include complete logs from 113 training runs, used to examine both the intermediate progress and final results of model training, which the attackers cite as evidence supporting the authenticity of the leak. Beyond that, the haul reportedly contains a map of internal infrastructure, covering details of Novo Nordisk’s HPC high-performance computing facilities, its Slurm scheduling system, and SSH configurations. Various internal container images, totaling about 53GB, were also taken, having originally supported specific research and development workloads inside the company. Additional stolen material includes developer identities, internal hostnames, private GitHub repository URLs, along with CUDA API statistics and kernel and memory operation logs. The attackers shared evidence of the breach publicly, as seen in a post from the security research account vx-underground.
Novo Nordisk Confirms the Breach
Novo Nordisk acknowledged that a cybersecurity incident occurred around June 11 to 12, 2026, during which an unauthorized anonymous party accessed portions of the company’s internal IT infrastructure. As part of the breach, pseudonymized data belonging to clinical trial patients was stolen, including patient identifiers, birth year, gender, and health and immunogenicity data. The company emphasized that this data has been de-identified, meaning it cannot be directly used to identify any specific individual.
A Costly Loss for AI-Driven Drug Discovery
The stolen AI assets carry particular significance given Novo Nordisk’s broader strategy. The company has invested in building Denmark’s first AI supercomputer, using artificial intelligence for drug discovery, molecular design, and clinical trial optimization. The leaked model checkpoints and proprietary datasets hold considerable value for competitors, potentially eroding Novo Nordisk’s competitive edge in this space.
An Active Ransom Demand
The attackers are now attempting to extort Novo Nordisk directly. Should the company meet the hackers’ demands, the stolen data may never be published online or sold to rival firms. Whether Novo Nordisk will actually pay to keep this information confidential remains unclear, particularly given that the ransom being demanded for data of this nature is reportedly substantial.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
