CrowdStrike Report: North Korean Hackers Responsible for Nearly Half of US Tech Sector Cyberattacks

A new report from cybersecurity firm CrowdStrike reveals that North Korean hackers posing as remote IT professionals and online recruiters were responsible for nearly half of all documented hands-on-keyboard cyber intrusions targeting U.S. technology companies over the past year.

The company’s latest annual assessment of the cybersecurity landscape highlights the increasing threat posed by North Korean cyber operatives, who have become a major source of attacks across the technology sector. According to CrowdStrike, groups linked to the regime of Kim Jong Un continue to target businesses and software developers through campaigns designed to steal sensitive information and cryptocurrency, helping fund Pyongyang’s nuclear weapons program, which remains prohibited under international sanctions.

CrowdStrike reported that between April 2025 and May 2026, the North Korean threat actor it tracks as “Famous Chollima” was responsible for 47% of all state-sponsored cyber activity directed at the technology industry.

The company closely monitors hands-on-keyboard intrusions because they typically involve real attackers actively conducting malicious operations, rather than automated malware that is often detected by traditional security tools. These incidents frequently begin with stolen credentials or compromised passwords, after which attackers exploit legitimate software and system tools to maintain long-term access within targeted networks.

Famous Chollima has become well known for impersonating technology workers, including developers, programmers, and IT professionals, while applying for remote positions at companies across the United States, Europe, and Asia. To support these schemes, operatives reportedly use AI-generated deepfake technology to mimic real individuals during video interactions and combine those images with fraudulent identity documents, including stolen passports and driver’s licences, to pose as Americans or other foreign nationals. Such tactics help them bypass restrictions imposed on North Korea, which remains heavily sanctioned by Western governments and the United Nations over its nuclear weapons activities.

Once employed, the operatives collect salaries that are ultimately directed back to the North Korean regime while simultaneously gaining access to intellectual property and other sensitive corporate data. CrowdStrike noted that stolen information is often later used as leverage, with attackers threatening to release confidential material unless companies agree to pay ransom demands after the operation is discovered.

The group also targets blockchain developers and cryptocurrency-related organisations to steal digital assets. North Korea has relied heavily on cyber-enabled cryptocurrency theft to circumvent limitations on its access to the global financial system. According to estimates cited in the report, the regime has accumulated billions of dollars in stolen cryptocurrency over the years, including roughly $2 billion during 2025 alone.