North Korea leads cyberattacks against US tech sector

North Korean hackers were responsible for nearly half of all state-sponsored cyber intrusions targeting US technology companies over the past year, according to cybersecurity firm CrowdStrike.

In its latest annual cybersecurity report, CrowdStrike said cyber groups linked to Pyongyang have become increasingly sophisticated. Their tactics now include posing as remote IT workers, using AI-generated deepfakes, and stealing cryptocurrency.

The report found that the North Korean hacking group "Famous Chollima" accounted for 47 percent of all state-sponsored cyber activity targeting the technology sector between April 2025 and May 2026. CrowdStrike identified the group as one of the most active cyber threats facing technology companies worldwide.

Infiltrating Companies as Remote Workers

According to CrowdStrike, North Korean operatives frequently apply for remote jobs at organizations in the United States, Europe, and Asia while posing as software developers, programmers, or IT specialists.

To support these false identities, they reportedly use AI-generated images, stolen passports, and forged identification documents. Once hired, they can gain access to company networks and sensitive systems while appearing to be legitimate employees.

Financial Gain and Data Theft

The report says North Korea benefits in multiple ways from these operations. Salaries earned by the operatives are believed to be transferred to the regime, while access to company systems allows them to collect intellectual property, confidential business information, and internal data.

In some cases, the stolen information is later used for extortion. Hackers threaten to release sensitive data unless organizations pay a ransom.

Cryptocurrency Firms Remain Key Targets

CrowdStrike also noted that North Korean hackers continue to target blockchain developers and cryptocurrency companies.

The report states that North Korea increasingly relies on cyber theft to obtain digital assets and generate revenue despite international sanctions and restrictions on the global financial system.

According to CrowdStrike, cybercriminals linked to North Korea stole approximately $2 billion worth of cryptocurrency in 2025. The country has previously been associated with several large-scale digital asset thefts.

Long-Term Access Through Human-Led Attacks

CrowdStrike highlighted the growing use of "hands-on-keyboard" attacks, where human operators directly control activities inside a victim's network rather than relying solely on automated malware.

Using stolen credentials, attackers often exploit legitimate software and internal tools already available within an organization. This approach allows them to remain undetected for extended periods and bypass many traditional security defenses.