CrowdStrike says North Koreans are behind nearly half of US tech industry hacks

A new report from cybersecurity giant CrowdStrike reveals that North Korean hackers posing as remote IT workers and online recruiters accounted for about half of all documented “hands-on-keyboard” intrusions into U.S. technology companies over the past year.

The company’s latest annual report on the cybersecurity landscape highlights the growing threat from North Korean operatives, who have become a significant source of cyber breaches across the technology industry. Hackers linked to Kim Jong Un’s regime regularly target companies and developers with schemes aimed at stealing information and cryptocurrencies to fund Pyongyang’s nuclear weapons programme, banned under international law.

CrowdStrike said that during the period covered by the report — from April 2025 to May 2026 — the North Korean hacking group that the company calls “Famous Chollima” accounted for 47% of all state-supported activities targeting the technology sector.

The security giant tracks keyboard intrusions because they typically represent real human hackers conducting malicious and evasive cyber activity, rather than automated malware that traditional security tools can catch. These attacks generally start with stolen passwords or credentials, followed by misuse of legitimate tools already on the target’s systems to maintain persistent access over time.

Cholema is known to pretend to be a tech worker, such as developers, programmers and IT, and then apply for remote jobs at US, European and Asian tech companies under false pretenses. To do this, hackers use artificial intelligence to create fake photos in real time to spoof the faces of real people, pairing those with fake identity documents such as stolen passports and driver’s licenses to pretend to be Americans or other foreign nationals. This is because North Korea is under severe sanctions by the West and the United Nations due to its continued development of nuclear weapons.

Once inside, the hackers also receive a paycheck from the companies they infiltrate, which is funneled back to the North Korean regime, all while stealing intellectual property and other sensitive company information. This stolen information is often used as a weapon; When customers are eventually caught, they often threaten to reveal what they have taken unless the company pays a ransom.

Hackers are also targeting blockchain developers with the aim of stealing large amounts of cryptocurrencies, which the Kim regime uses to avoid its widespread inability to use the Western banking system. North Korea has received billions of dollars in stolen cryptocurrencies over the years, including about $2 billion in 2025 alone.