North Korean hackers were responsible for nearly half of all documented state-backed cyber intrusions targeting U.S. technology companies over the past year, according to a new report by cybersecurity giant CrowdStrike.
The report highlights the growing sophistication of cyber operations linked to Pyongyang, including schemes involving fake remote workers, AI-generated deepfakes, and cryptocurrency theft.
CrowdStrike’s latest annual cybersecurity report found that the North Korean hacking group known as “Famous Chollima” accounted for 47% of all state-sponsored activity directed at the technology sector between April 2025 and May 2026.
The company said the group has become one of the most active cyber threats facing technology firms worldwide.
Hackers posed as remote IT workers
According to the report, North Korean operatives frequently disguised themselves as software developers, coders, and IT professionals to secure remote jobs at companies across the United States, Europe, and Asia.
To support their deception, the hackers allegedly used artificial intelligence-generated deepfake images during online interviews and relied on fraudulent identity documents, including stolen passports and driver’s licenses.
The tactic allowed them to appear as legitimate job candidates while gaining access to corporate networks and sensitive systems.
Salaries and stolen data
CrowdStrike said the scheme serves multiple purposes for North Korea.
Once hired, the operatives receive salaries that are allegedly funneled back to the government in Pyongyang. At the same time, they gain access to valuable intellectual property, confidential business information, and internal company systems.
The report noted that stolen data is often used as leverage, with hackers allegedly threatening to expose sensitive information unless companies pay ransom demands.
Focus on cryptocurrency, blockchain firms
The cybersecurity firm also warned that North Korean hackers continue to aggressively target blockchain developers and cryptocurrency companies.
The regime has increasingly relied on cyber theft to obtain digital assets, helping it bypass international sanctions and restrictions on access to the global banking system.
According to the report, North Korea-linked actors stole approximately $2 billion in cryptocurrency during 2025 alone, adding to billions of dollars obtained through cybercrime over the years.
CrowdStrike said it closely monitors so-called “hands-on-keyboard” intrusions because they involve real human attackers actively operating inside victim networks.
Unlike automated malware campaigns, these attacks often begin with stolen credentials and involve the misuse of legitimate tools already present within a company’s systems.
This approach allows attackers to maintain long-term access while avoiding detection by conventional security software.
