A recent report from cybersecurity leader CrowdStrike reveals that North Korean hackers, masquerading as remote IT professionals and online recruiters, were responsible for approximately half of all documented "hands-on-keyboard" intrusions within U.S. tech firms over the past year.
The company's annual cybersecurity report emphasizes the escalating threat posed by North Korean operatives, who have emerged as a major source of cyber intrusions targeting the tech sector. These hackers, linked to the regime of Kim Jong Un, persistently aim to acquire sensitive information and cryptocurrency, which are then utilized to support Pyongyang's nuclear weapons initiatives, violating international laws.
According to CrowdStrike's findings for the period from April 2025 to May 2026, the hacking group known as Famous Chollima accounted for 47% of all state-sponsored cyber activities directed at the technology industry.
CrowdStrike monitors hands-on-keyboard intrusions because they signify genuine human hackers engaging in sophisticated and evasive cyber operations, as opposed to automated malware that traditional security measures can often detect. These attacks typically commence with the theft of passwords or credentials, followed by the exploitation of legitimate tools already present in the target's systems to ensure prolonged access.
Famous Chollima is notorious for impersonating tech professionals, such as developers and IT staff, applying for remote positions at tech companies across the U.S., Europe, and Asia under false identities. To execute these schemes, they employ artificial intelligence to create real-time deepfake images that replicate the appearances of actual individuals, complemented by fraudulent identity documents like stolen passports and driver's licenses, allowing them to pose as Americans or other foreign nationals. This tactic is particularly necessary due to the extensive sanctions imposed on North Korea by Western nations and the United Nations due to its ongoing nuclear weapons development.
Once infiltrated, these hackers not only receive salaries from the companies they breach, which are subsequently funneled back to the North Korean regime, but they also pilfer intellectual property and other sensitive corporate data. Frequently, this stolen information is weaponized; when operatives are apprehended, they often threaten to disclose the information unless a ransom is paid.
Additionally, these hackers target blockchain developers with the goal of stealing substantial amounts of cryptocurrency, which the North Korean regime uses to bypass restrictions on the Western banking system. Over the years, North Korea has amassed billions in stolen cryptocurrency, including an estimated $2 billion in 2025 alone.
This ongoing cyber threat underscores the necessity for enhanced cybersecurity measures in the tech industry, as the implications of these intrusions could shape the future landscape of digital security and international relations.