North Korean Hackers Responsible for Nearly Half of State-Backed Cyber Intrusions Targeting U.S. Tech Firms, Report Says

North Korean hackers were responsible for nearly half of all state-sponsored cyber intrusions targeting U.S. technology companies over the past year, according to a new report by cybersecurity firm CrowdStrike.

The report states that cyber groups backed by Pyongyang have become increasingly sophisticated, employing tactics such as posing as remote workers, using artificial intelligence-generated deepfakes, and stealing cryptocurrency to fund their operations.

In its annual cybersecurity threat report, CrowdStrike revealed that the North Korean hacking group known as “Famous Chollima” accounted for 47 percent of all state-sponsored cyber activity directed at the technology sector between April 2025 and May 2026.

According to the report, the group has emerged as one of the most active and persistent cyber threats facing technology companies worldwide.

CrowdStrike said North Korean operatives frequently attempt to secure remote employment at companies in the United States, Europe, and Asia by presenting themselves as software developers, programmers, or IT specialists.

To make their fraudulent identities appear legitimate, they reportedly use AI-generated deepfake images, stolen passports, and forged identification documents, including driver’s licenses. These methods allow them to infiltrate corporate networks and gain access to sensitive systems under the guise of legitimate job applicants.

The report notes that this strategy provides multiple benefits for North Korea. Salaries earned by individuals working under false identities are allegedly funneled back to the government. At the same time, the operatives gain access to valuable intellectual property, confidential business information, and internal systems.

Stolen data is often used as leverage in extortion schemes. In many cases, hackers threaten to leak sensitive information unless companies pay a ransom.

CrowdStrike also warned that North Korean cyber actors continue to aggressively target blockchain developers and cryptocurrency companies.

Faced with international sanctions and restrictions within the global banking system, North Korea has increasingly relied on cyber theft to obtain digital assets and generate revenue.

According to the report, cybercriminals linked to North Korea stole approximately $2 billion worth of cryptocurrency in 2025 alone. Experts believe the country has accumulated several additional billions of dollars through various cybercrime operations over the years.

CrowdStrike said it closely monitors “hands-on-keyboard” cyberattacks, in which human operators directly interact with a victim’s network rather than relying solely on automated malware.

In such attacks, threat actors often use stolen login credentials and abuse legitimate software and administrative tools already present within an organization. This approach enables them to remain undetected for extended periods and bypass conventional security systems while maintaining long-term access to targeted networks.