FulcrumSec
FulcrumSec is a financially motivated cyber extortion group active since at least late 2025, most consistently described as emerging around September to October 2025.
Profile source: Mallory opens in a new tabFulcrumSec
Family profile
FulcrumSec is a financially motivated cyber extortion group active since at least late 2025, most consistently described as emerging around September to October 2025. The group is best known for data-theft and extortion operations against cloud-native enterprises, typically prioritizing theft of sensitive information over disruptive encryption-based ransomware. Reporting repeatedly characterizes its model as data-only extortion, although some accounts have also described double-extortion or ransomware-style activity in selected incidents.
FulcrumSec primarily targets organizations with significant cloud exposure, especially in technology, business services, healthcare, financial services, and education. Publicly associated victims include Novo Nordisk, Global Schools Foundation, LexisNexis, youX, Avnet, Arup Group, and other organizations across multiple countries, with the United States appearing most frequently among claimed victims. The group has shown particular interest in environments hosted on major cloud platforms and in organizations with weak secrets management, over-permissioned machine identities, exposed repositories, misconfigured storage, insecure APIs, and unrotated credentials.
Its tradecraft is centered on opportunistic but effective cloud intrusion techniques rather than bespoke malware. Reported access patterns include abuse of exposed or hardcoded credentials, unrotated API keys and token secrets, misconfigured cloud permissions, publicly reachable development assets, exposed cloud databases and storage, and exploitation of internet-facing application vulnerabilities including CVE-2025-55182. Once inside, FulcrumSec reportedly harvests additional credentials from repositories and cloud secrets stores, pivots across SaaS, CI/CD, source-code, and cloud-control-plane environments, and conducts high-speed exfiltration of large data volumes. Legitimate tooling and normal-looking cloud activity are reportedly used to blend into victim environments.
A notable characteristic of FulcrumSec is its use of AI to enhance extortion operations. The group has been reported using large language models to analyze complex exfiltrated databases and to improve the precision and leverage of ransom negotiations. This aligns with a broader trend of extortion actors using AI to accelerate victim analysis and tailor pressure tactics.
FulcrumSec has been linked to major extortion incidents in 2026, especially against Novo Nordisk and Global Schools Foundation. In the Novo Nordisk case, the group claimed prolonged access, theft of more than a terabyte of data, and a multimillion-dollar ransom demand, with alleged theft spanning source code, clinical and research data, proprietary drug information, employee and healthcare-related data, and internal AI-related assets. In the Global Schools Foundation case, FulcrumSec was associated with large-scale theft of student, parent, employee, and operational data and subsequent extortion pressure, prompting legal action aimed at restraining publication of the stolen material.
The group is commonly described as credible in its operational claims and as maintaining public leak infrastructure to pressure victims and advertise breaches. FulcrumSec has also been referred to by the nickname “The Threat Thespians.” Overall, it represents a modern cloud-focused extortion actor whose success appears to rely less on advanced malware development and more on credential abuse, cloud misconfiguration exploitation, identity-centric lateral movement, large-scale data theft, and psychologically optimized negotiation tactics.
Ransomware.live