North Korean hackers posing as remote IT workers and online recruiters made up about half of all documented “hands-on-keyboard” intrusions at U.S. tech companies over the past year, according to a new report by cybersecurity giant CrowdStrike.
The findings highlight how cyber warfare has evolved beyond traditional hacking methods to sophisticated infiltration schemes that generate dual revenue streams for the Kim Jong Un regime. These operations both steal sensitive data and earn legitimate salaries that get funneled back to Pyongyang, all while building intelligence for North Korea’s banned nuclear weapons program.
CrowdStrike’s latest annual cybersecurity report shows that during the period from April 2025 to May 2026, the North Korean hacking group dubbed “Famous Chollima” accounted for 47% of all state-backed activity targeting the tech sector. This represents a significant escalation in North Korean cyber operations against American technology companies.
The security company tracks hands-on-keyboard intrusions because they represent real human hackers conducting sophisticated cyber activities, rather than automated malware that traditional security tools can detect. These attacks typically start with stolen passwords or credentials, then abuse legitimate tools already present in target systems to maintain long-term access.
Famous Chollima operates through an elaborate deception scheme. The hackers pose as tech workers like developers, coders, and IT specialists, then apply for remote jobs at U.S., European, and Asian tech companies. To make this work, they use AI to generate real-time deepfake images that spoof real people’s faces, paired with fraudulent identity documents including stolen passports and driver licenses to appear as Americans or other foreign nationals.
This sophisticated approach helps them bypass the heavy sanctions imposed on North Korea by Western nations and the United Nations for its ongoing nuclear weapons development. The remote work trend that accelerated during the pandemic has created new opportunities for these infiltration tactics.
Once inside companies, the operation becomes a dual-purpose money maker:
- Hackers earn legitimate salaries that flow back to the North Korean regime
- They steal intellectual property and sensitive corporate information
- Stolen data often becomes ammunition for extortion when operatives are eventually discovered
- Companies face ransom demands to prevent exposure of what was taken
The hackers also specifically target blockchain developers with the goal of stealing large amounts of cryptocurrency. This crypto theft serves as a crucial revenue source for the Kim regime, helping it circumvent its exclusion from the Western banking system. North Korea has stolen billions of dollars in cryptocurrency over recent years, including approximately $2 billion during 2025 alone.
The scale of these operations reflects North Korea’s growing sophistication in cyber warfare and its increasing reliance on digital theft to fund government operations. For U.S. tech companies, the findings underscore the need for enhanced vetting procedures for remote workers and improved detection systems that can identify human-operated attacks rather than just automated threats.