North Korean Hackers Behind Nearly Half of All US Tech Industry Breaches, CrowdStrike Finds
North Korean state-sponsored hackers now account for nearly half of all hands-on-keyboard intrusions targeting American technology companies, according to a new CrowdStrike report covering April 2025 through May 2026. The group tracked as “Famous Chollima” was responsible for 47 percent of all state-backed cyber activity against the US tech sector in that period, CrowdStrike said.
The finding, reported by TechCrunch, underscores the extent to which Pyongyang has turned cyber operations into a primary revenue stream, funding its nuclear weapons program through a combination of espionage, ransomware, and cryptocurrency theft.
Famous Chollima’s signature tactic is persona theft at scale. The hackers pose as remote IT workers, developers, and coders, then apply for jobs at US, European, and Asian technology companies under false identities. To pull this off, they use AI to generate real-time deepfake images that spoof the faces of real people, paired with fraudulent identity documents including stolen passports and driver’s licenses.
Because North Korea is heavily sanctioned by the United Nations and Western nations, the operatives fabricate American or other foreign national identities to pass background checks and video interviews.
Once hired, the hackers earn a salary that gets funneled back to the North Korean regime. But the real damage is the access: they steal intellectual property, source code, and sensitive corporate data. When discovered, the operatives often threaten to leak what they have taken unless the company pays a ransom, weaponizing the very data they were trusted to handle.
The group also targets blockchain developers specifically to steal cryptocurrency. North Korea netted an estimated $2 billion in stolen digital assets during 2025 alone, according to CrowdStrike’s earlier financial services report. These crypto heists are critical for Pyongyang because they bypass the Western banking system that sanctions have largely closed off.
What Hands-on-Keyboard Means
CrowdStrike distinguishes “hands-on-keyboard” intrusions from automated malware attacks because they represent real human hackers actively navigating a victim’s network. These attacks typically begin with stolen passwords or credentials purchased from the underground market, followed by abuse of legitimate tools already present in the target’s systems to maintain persistent, stealthy access over months.
Traditional security tools that look for malware signatures often miss this activity entirely because the hackers are using the victims’ own software against them. The 47 percent figure reflects only state-backed intrusions where CrowdStrike could attribute the activity to North Korea with high confidence. The actual share may be higher.
The Bigger Picture
The CrowdStrike report adds to a growing body of evidence that North Korea’s cyber apparatus has become one of the most effective funded operations in the world. While other state actors like China and Russia focus on espionage and infrastructure sabotage, Pyongyang’s hackers are uniquely focused on revenue generation. The IT worker infiltration scheme is particularly hard to defend against because it exploits the basic mechanics of hiring: trust, verification gaps, and the global shift to remote work.
For US tech companies, the implication is that background checks, video interview verification, and device management policies are no longer just HR processes. They are frontline cybersecurity defenses. Companies that hire remote developers without rigorous identity verification and credential monitoring are effectively leaving the door open.