A new report by cybersecurity firm CrowdStrike reveals that North Korean hackers, disguising themselves as remote IT workers and online recruiters, were responsible for about half of all documented “hands-on-keyboard” intrusions at U.S. tech companies last year.
The company’s latest cybersecurity report highlights the growing threat posed by North Korean operatives, who are a major source of cyber intrusions in the tech industry. These hackers, linked to the Kim Jong Un regime, continually target companies and developers with schemes to steal information and cryptocurrency, funding North Korea’s banned nuclear program.
From April 2025 to May 2026, CrowdStrike identified a North Korean hacking group called “Famous Chollima” as accountable for 47 percent of all state-backed cyber activity against the tech sector.
The company focuses on “hands-on-keyboard” intrusions because they involve actual human hackers executing malicious activities, unlike automated malware, which traditional security tools can usually detect.
These attacks often start with stolen passwords or credentials, then exploit legitimate tools already in the target’s systems to maintain persistent access. Famous Chollima operatives often pose as tech workers, developers, coders, and IT personnel, applying for remote jobs at U.S., European, and Asian tech companies under false pretenses.
They use AI to create real-time deepfake images that mimic real faces and combine them with stolen identification documents, such as passports and driver’s licenses, to impersonate Americans or other foreigners.
This strategy is driven by Western and UN sanctions on North Korea’s nuclear weapons development. Once inside, hackers earn salaries from the infiltrated companies, which are then funneled back to the North Korean regime, all while stealing intellectual property and sensitive data.
This stolen information is frequently weaponized; when operatives are caught, they often threaten to reveal what they’ve stolen unless paid a ransom. The hackers also target blockchain developers to steal large amounts of cryptocurrency, which North Korea uses to bypass restrictions on the Western banking system.
Over the years, North Korea has stolen billions in crypto, with about $2 billion stolen in 2025 alone.