CrowdStrike Report Flags Growing Pyongyang-Linked Threat
North Korean hackers were responsible for a major share of documented state-backed cyber intrusions targeting US technology companies over the past year, according to a new report by cybersecurity firm CrowdStrike.
The report highlights the growing reach and sophistication of cyber operations linked to Pyongyang. It says North Korean groups are using fake remote workers, artificial intelligence tools, deepfake images and cryptocurrency theft to target companies.
CrowdStrike said the hacking group known as Famous Chollima accounted for nearly half of state-sponsored activity directed at the technology sector between April 2025 and May 2026.
The company described the group as one of the most active cyber threats facing technology firms worldwide.
The findings show how cyberattacks are no longer limited to malware or direct hacking attempts. Attackers are now blending identity fraud, remote hiring, social engineering and insider access to enter company systems.
Hackers Posed as Remote IT Workers
According to the report, North Korean operatives frequently disguised themselves as software developers, coders and IT professionals.
They allegedly applied for remote jobs at companies in the United States, Europe and Asia.
To appear legitimate, the hackers used artificial intelligence-generated deepfake images during online interviews. They also relied on fake identity documents, including stolen passports and driverโs licences.
This approach allowed them to pass through recruitment processes and gain access to corporate networks.
Once hired, the operatives could enter sensitive internal systems, view business information and reach valuable intellectual property.
CrowdStrike said the scheme serves two main purposes for North Korea. First, the workers receive salaries that are allegedly sent back to Pyongyang. Second, their access gives the regime opportunities for intelligence collection and cyber theft.
Crypto Firms Remain High-Value Targets
CrowdStrike also warned that North Korean hackers continue to aggressively target cryptocurrency companies and blockchain developers.
The report said North Korea-linked actors stole about $2 billion in cryptocurrency during 2025 alone.
Cybersecurity experts say digital asset theft helps the regime bypass international sanctions and access funds outside the traditional banking system.
The report also highlighted the danger of hands-on-keyboard intrusions. These attacks involve real human operators actively moving inside victim networks.
Unlike automated malware campaigns, such attacks often begin with stolen credentials. The hackers then misuse legitimate tools already present inside company systems.
This makes detection more difficult because the activity can appear normal at first.
CrowdStrike said technology companies must strengthen hiring checks, identity verification, access controls and monitoring systems.
The report shows that North Korean cyber operations are becoming more strategic, more deceptive and more difficult to detect.
For technology firms, the threat now extends beyond firewalls and software. It also reaches hiring systems, remote work processes and everyday business operations.
