Apple server schematics stolen in May 2026 Foxconn cyberattack

Leaked documents may be tip of the iceberg in Foxconn hack, as only Apple server schematics have been shared so far. More damaging documents may come later.

On May 12, AppleInsider reported that ransomware group Nitrogen hacked into Foxconn facilities in North America. Initially, based on the available sample files, it appeared that the attackers didn’t obtain any Apple documentation.

However, additional sample files have now been provided to AppleInsider, including more than 30 confidential Apple documents, all of which appear to be genuine. We’ve analyzed the newly available sample, and while we won’t share any links, the files have all the hallmarks of genuine Apple documentation.

Nitrogen managed to obtain schematics detailing Apple server component designs from March 2026 and late 2025. Apple server rack specifications and manuals, from 2020 through 2023, were also stolen.

The server schematics were created using Siemens NX and are consistent with the format and style used by Apple. Dimensions for various brackets, components, and spacers are described in the documents, as is the chassis design of an internal Apple server.

Apple’s Matterhorn project and other server details

Most significant among the files taken was an overview of Apple’s Matterhorn project, detailing Apple server configurations that utilize Intel’s Whitley and Eagle Stream platforms. The document covers the specifications of Apple servers, as well as their board layout and architecture.

Files related to Apple and Google servers were stolen from Foxconn.

Advertisement

Per the document, Apple’s high-end servers used two 32-core Intel Ice Lake CPUs, more commonly known as 3rd Gen Intel Xeon Scalable processors, at 2.2GHz. They also featured 24 sticks of 128GB DDR4 RAM and Nvidia T4 GPUs, and multiple 8TB NVMe drives, among other things.

Nitrogen also acquired confidential Intel documents, detailing debugging and JTAG processes for the aforementioned Xeon-focused platforms. These files contain the security layers, board designs, and other aspects of Intel hardware.

Though these Intel-based server configurations have likely since been replaced with more powerful Apple Silicon variants, the collection of documents offers a unique look at the processing power Apple needed as recently as 2023.

As for Apple server-related guides and specification documents, Nitrogen provided four files:

• Apple AC Rack Specification
• Apple Bulk and Single Packaging Requirements
• Apple Matterhorn RoT Mezzanine Information
• Apple Server and Storage — Mechanical, Thermal, Industrial, and Packaging Specifications

The Apple documents themselves appear to be genuine. Three of them were written by Apple’s Data Center Hardware and Infrastructure Mechanical Development Leader, Kelly Smith. Clifford Gaw, Apple’s System Hardware Lead, wrote the fourth document in the sample.

These files detail the physical properties of the server racks Apple uses internally, from their dimensions and approved colors to the maximum weight they can carry. Also present are instructions for maintaining airflow, leveling feet, mounting side panels, conducting safety and stability tests, and more.

Nitrogen seemingly did manage to get its hands on real Apple documents. However, they’re not useful for much of anything, unless you have an Apple server lying around, or an entire rack full of them.

Absent from the sample files is anything related to the chips powering Apple Silicon-based servers or anything detailing the purpose of the servers themselves. Server chassis and bracket schematics alone won’t be a concern for Apple.

If the ransomware group actually has additional details regarding Apple Silicon servers, including their motherboard layouts, configurations, and the total number of servers produced, Apple could face issues. Rival AI companies, for instance, might copy Apple’s designs or iterate upon them.

Apple has arguably already fallen behind in the AI race, given that Siri‘s personal context feature announced at WWDC 2024 still isn’t here. Compromised server designs certainly won’t help.

Still, Apple isn’t the only company that has to worry about confidential files reaching its rivals. Foxconn assembles a variety of electronics, components, and products for multiple tech giants.

Aside from schematics and instruction manuals for Apple servers, Nitrogen stole documents related to confidential AMD, Broadcom, Google, Intel, Hewlett-Packard, Micron, Nvidia, Samsung, and Seagate projects.

Internal documents related to Google servers were among the files taken from Foxconn.

Advertisement

Also among the files were documents from Altera, Ampere, Amphenol Power Solutions, Avago, Hilisin, Holy Stone Enterprise, ITG Electronics, Infineon, JCTC, Lotes, Molex, Nexperia, PennEngineering, Puya, Renesas, TA-i Technology, TXC, Walsin, Winbond, and Yageo.

Multiple documents related to the Foxconn-owned Cloud Network Technology, based in Houston, Texas, were also in the sample provided. This includes a shipping label for equipment sent by Hewlett-Packard, among other things.

AMD documents include a motherboard design guide for FL1 processors and SP5 sockets, and technical specifications for the MI300X-O Universal Base Board. The attackers acquired Nvidia documents containing printed circuit board fabrication specifications, board handling requirements, and more.

Files related to the HGX Blackwell 8-GPU, the HGX H20 8-GPU, and the HGX Hopper 8-GPU, along with documents concerning the GB NVL 72, GB 200 NVL, and GB 300 NVL72 compute trays, are present as well. There’s also a file related to the Nvidia Tesla GH200 module.

Documents from Hewlett-Packard and Google also pertain to server components and server designs.

Multiple Hewlett-Packard and Foxconn files, for instance, describe an enterprise server known as the HPE Hoth Tromper. Board designs for this server are also present. The Google GhostFish Fish shelf, meanwhile, is detailed in a separate test-related document.

Also obtained by the group were files detailing the technical specifications of Micron DDR4 SDRAM and Samsung’s 16GB DDR4 SDRAM modules and their various components.

Documents concerning storage devices were also present, with one file, for instance, detailing the Seagate Exos 2×18 mechanical hard drive design.

Nearly all of the documents in the sample provided by Nitrogen are in English and are seemingly related to Foxconn facilities in North America. However, the ransomware group also included PDFs of Foxconn emails in Chinese, though the content remains server-related.

Some of the files taken from Foxconn contain regulatory compliance information or detail hardware testing procedures.

Overall, nearly everything taken from Foxconn appears to be server-focused. There do not appear to be documents from Foxconn’s Guanlan and Zhengzhou facilities, which assemble other Apple products, like the iPhone.

There’s also nothing related to iPad, Mac, or Apple Vision Pro assembly, despite Foxconn playing a key part in the manufacturing of these device lines.

Foxconn’s assembly plants in North America, such as the one in Mount Pleasant, Wisconsin, or the one in Houston, Texas, don’t assemble Apple products beyond servers, so it’s no surprise that no iPhone-related documents appeared.

The full scope of the Foxconn cyberattack, however, remains undetermined, as the ransomware group responsible says it stole over 11 million files, allegedly equating to eight terabytes.

As it currently stands, it does not appear that this attack will yield any significant Apple design leaks.