North Korea Behind 50% of US Tech Cyberattacks: CrowdStrike Report

North Korean hackers conducted approximately half of all documented “hands-on keyboard” intrusions into U.S. technology companies over the past year, according to a report from cybersecurity firm CrowdStrike. These operations fund the Pyongyang regime through cryptocurrency theft and fraudulent remote employment.

How do North Korean hackers enter U.S. tech companies?

Hackers infiltrate systems by posing as online recruiters or remote IT employees, according to CrowdStrike. Once they gain access, these individuals are sometimes hired as remote staff.

The salaries paid by the targeted companies are then funneled back to the North Korean regime. While employed, the hackers steal intellectual property and sensitive data.

CrowdStrike reports that this stolen information is used for blackmail. The hackers may threaten to release the data in exchange for ransom payments if their activities are uncovered.

Did You Know? North Korean hackers frequently secure legitimate remote employment at the companies they target, directing their earned salaries to the state.

Why is the North Korean regime targeting the tech sector?

The primary goal of these cyber operations is to generate revenue for the regime while it faces heavy international sanctions. BFM Tech reports that these activities generate hundreds of millions, and potentially billions, of dollars annually.

These funds contribute to the financing of Pyongyang’s nuclear weapons program. This program is prohibited under international law, according to BFM Tech.

Expert Insight: Samantha Carter notes that the transition to “hands-on keyboard” intrusions signals a shift toward more targeted, human-driven attacks. By blending into the workforce as remote employees, these actors bypass traditional perimeter security to steal high-value industrial secrets.

What role does the “Famous Chollima” group play?

A specific hacking group identified by CrowdStrike as “Famous Chollima” is a primary driver of these attacks. Between April 2025 and May 2026, this group represented 47% of all state-sponsored activity targeting the technology sector.

North Korea Behind Nearly Half of US Tech Hacks, Says CrowdStrike

The group employs sophisticated techniques to divert cryptocurrencies and steal industrial secrets. These operations have been active for over a decade as Pyongyang increases its cyber capabilities.

What may happen next in these cyber operations?

The regime may continue to develop more sophisticated infiltration techniques to maintain funding despite international sanctions. It is possible that hackers will expand their use of fake recruiter personas to reach a wider range of developers.

Companies could see an increase in “hands-on keyboard” activity as the “Famous Chollima” group refines its methods for stealing intellectual property and cryptocurrency.

Frequently Asked Questions

What percentage of state-sponsored tech intrusions are linked to Famous Chollima?
According to CrowdStrike, the group accounted for 47% of state-sponsored activities targeting the tech sector from April 2025 to May 2026.

How does North Korea use the money stolen from these hacks?
BFM Tech reports that the revenue helps fund the regime and its nuclear weapons program, which is banned by international law.

What tactics do these hackers use to gain access to companies?
CrowdStrike states they pose as remote IT employees or online recruiters to infiltrate systems and steal sensitive data.

How should technology companies verify the identity of remote hires to prevent state-sponsored infiltration?