North Korean Hackers Behind 47% of US Tech Sector Intrusions

Key Takeaways

• North Korea's Famous Chollima group caused 47% of state-sponsored tech sector intrusions from April 2025 to May 2026
• Hackers pose as remote IT workers using AI deepfakes and stolen identity documents to get hired at US tech firms
• North Korea stole $2 billion in cryptocurrency during 2025 alone to fund its nuclear weapons program

The Remote Worker Threat

North Korean hackers have turned the remote hiring process into their primary attack vector. A new CrowdStrike report found that operatives linked to the Kim Jong Un regime accounted for 47% of all state-sponsored "hands-on-keyboard" intrusions at US tech companies between April 2025 and May 2026.

The cybersecurity firm tracks hands-on-keyboard intrusions specifically because they represent real human hackers conducting targeted attacks, not automated malware that standard security tools can catch. These attacks typically start with stolen credentials, followed by abuse of legitimate tools already present in the target's systems to maintain long-term access.

The group responsible, which CrowdStrike calls "Famous Chollima," has refined a particularly insidious tactic. They pose as software developers, coders, and IT professionals, then apply for remote jobs at tech companies in the US, Europe, and Asia under false identities.

How the Scheme Works

The hackers use AI to generate real-time deepfake images that spoof the faces of real people. They pair these with fraudulent identity documents, including stolen passports and driver's licenses, to pose as Americans or other foreign nationals. North Korea's heavy international sanctions make this deception necessary for the regime's operatives to access Western companies.

“The weaponization of remote IT roles has turned the hiring process into a primary attack vector, allowing operatives to bypass traditional perimeter defenses and maintain persistence from within.”

— CrowdStrike Lead Intelligence Analyst, Industry Briefing June 2026

Once hired, the operatives collect actual salaries from the companies they infiltrate. That money gets funneled back to the North Korean regime. Meanwhile, they steal intellectual property and other sensitive corporate information from inside the organization.

The stolen information becomes a weapon too. When these operatives get caught, they often threaten to expose what they've taken unless the company pays a ransom. It's a double extraction scheme: theft during employment, then extortion on the way out.

The Cryptocurrency Pipeline

Beyond corporate espionage, Famous Chollima specifically targets blockchain developers to steal cryptocurrency. The Kim regime uses stolen crypto to bypass its near-total exclusion from the Western banking system.

The numbers are staggering. North Korea has stolen billions of dollars in cryptocurrency over the years. In 2025 alone, the regime netted approximately $2 billion in stolen crypto. This money directly funds Pyongyang's nuclear weapons program, which is banned under international law.

CrowdStrike's report also found that 45% of all global interactive intrusions in the technology sector specifically targeted organizations based in North America. The US tech industry has become the primary hunting ground for state-sponsored hackers.

Industry Response and Debate

The findings have sparked debate across the tech community. On HackerNews, discussions center on the difficulty of verifying contractor identities and calls for more rigorous multi-factor identity verification during hiring. Some argue that video interviews alone can't catch sophisticated deepfakes.

On Reddit's r/cybersecurity, users are debating whether this trend will force companies to roll back fully remote work policies for high-security roles. Some suggest that requiring periodic in-person verification could help, though others point out this would undermine many of the benefits of remote work.

The challenge for companies is balancing security with operational flexibility. Remote work expanded talent pools and reduced costs, but it also created new vulnerabilities. Traditional background checks weren't designed for a world where applicants can present AI-generated faces during video calls.

What Companies Can Do

The CrowdStrike report doesn't just document the problem. It highlights that these attacks succeed because they bypass traditional perimeter defenses entirely. Once someone is an employee, they have legitimate access to systems, repositories, and communications.

• Implement multi-factor identity verification that goes beyond document checks
• Require verified references from known entities, not just listed contacts
• Monitor for unusual access patterns even from authenticated employees
• Segment sensitive systems so no single role has broad access
• Conduct periodic re-verification for contractors in sensitive positions

The uncomfortable truth is that nation-state hackers with AI tools and stolen documents can often pass standard background checks. Companies need verification processes designed for adversaries who can fake most traditional proof of identity.

Frequently Asked Questions

What is Famous Chollima?

Famous Chollima is CrowdStrike's name for a North Korean hacking group that poses as remote IT workers to infiltrate tech companies. The group accounted for 47% of state-sponsored tech sector intrusions in the past year.

How do North Korean hackers get hired at US tech companies?

They use AI-generated deepfake images during video interviews and present fraudulent identity documents like stolen passports. This lets them pose as Americans or other foreign nationals eligible for remote work.

Why does North Korea target tech companies?

To steal intellectual property, earn salaries that get funneled to the regime, and access cryptocurrency. The stolen crypto helps North Korea bypass international banking sanctions and fund its nuclear weapons program.

How much cryptocurrency has North Korea stolen?

North Korea has stolen billions over the years, including approximately $2 billion in 2025 alone according to the CrowdStrike report.

What is a hands-on-keyboard intrusion?

A cyberattack where a real human hacker is actively conducting malicious activity, rather than automated malware. These are harder to detect because attackers use legitimate tools already present in the target's systems.

Source: TechCrunch / Zack Whittaker