Key Takeaways
- North Korean hackers masquerading as remote IT workers accounted for roughly half of all documented hands‑on‑keyboard intrusions at U.S. tech firms between April 2025 and May 2026.
- The activity is chiefly attributed to the state‑backed group CrowdStrike labels “Famous Chollima,” which represented 47 % of all state‑sponsored cyber actions targeting the technology sector.
- Operators use AI‑generated deepfake video and forged identity documents to pose as legitimate job applicants, then collect salaries that are funneled back to the Pyongyang regime while exfiltrating intellectual property and cryptocurrency.
- Stolen crypto, especially from blockchain developers, has become a major funding source for North Korea’s sanctioned nuclear weapons program, with roughly $2 billion taken in 2025 alone.
- When detected, the attackers often threaten to leak the purloined data unless a ransom is paid, turning espionage into extortion.
Overview of CrowdStrike Findings
CrowdStrike’s annual cybersecurity landscape report reveals that North Korean operatives have become a dominant threat to U.S. technology companies. Over the twelve‑month period from April 2025 to May 2026, hackers linked to the Kim Jong Un regime were responsible for approximately 50 % of all recorded hands‑on‑keyboard intrusions at American tech firms. This statistic underscores a shift from purely automated malware attacks to deliberate, human‑driven campaigns designed to infiltrate networks, harvest valuable data, and generate revenue for Pyongyang’s prohibited weapons programs.
What Constitutes a Hands‑on‑Keyboard Intrusion
The report defines hands‑on‑keyboard activity as cyber operations in which a real human attacker directly interacts with a compromised system, as opposed to automated scripts or malware that security tools can often detect. Such intrusions typically begin with the acquisition of valid credentials—through phishing, credential stuffing, or purchased access—followed by the misuse of legitimate administrative tools already present in the victim’s environment. This approach allows attackers to maintain persistent, low‑profile access while evading many conventional defenses.
Famous Chollima: The State‑Backed Actor
CrowdStrike tracks a specific North Korean hacking collective it dubs “Famous Chollima.” During the reporting window, this group accounted for 47 % of all state‑backed cyber actions aimed at the technology sector worldwide. The high proportion illustrates how tightly the regime has aligned its cyber espionage units with economic gain, using illicit employment schemes to both fund the regime and steal strategic assets from private enterprises.
Tactics: Deepfake Video and Fraudulent Identification
To infiltrate companies under false pretenses, Famous Chollima operatives employ sophisticated AI‑driven deepfake technology to generate real‑time video likenesses of actual individuals. These fabricated faces are paired with stolen or forged identity documents—such as passports, driver’s licenses, and utility bills—to construct convincing personas that appear to be American or other foreign nationals. The use of deepfakes helps bypass video‑based verification steps that many remote‑hiring processes now rely on.
Recruitment Scheme: Fake Remote Job Applications
Once a credible false identity is established, the hackers apply for remote positions such as software developer, IT support, or coder at U.S., European, and Asian tech firms. Because they are hired as legitimate employees, they receive a regular salary, which is subsequently redirected to the North Korean government. This arrangement not only provides a steady cash flow to Pyongyang but also grants the attackers ongoing, trusted access to corporate networks and development environments.
Exfiltration of Intellectual Property and Sensitive Data
While embedded within a target organization, the operatives systematically search for and exfiltrate valuable intellectual property, source code, product roadmaps, and other confidential business information. CrowdStrike notes that this data is often weaponized later; if the intrusion is discovered, the attackers frequently threaten to publish or sell the stolen material unless the victim pays a ransom, effectively turning espionage into an extortion scheme.
Targeting Blockchain Developers and Cryptocurrency Heists
A notable subset of Famous Chollima’s activity focuses on blockchain and cryptocurrency firms. By posing as developers or engineers, the hackers gain access to wallets, private keys, and exchange infrastructure, enabling them to siphon large quantities of digital currency. North Korea has amassed billions of dollars in stolen crypto over recent years, with CrowdStrike highlighting an approximate $2 billion taken during 2025 alone. These funds help the regime circumvent international sanctions that restrict its access to the global banking system.
Financial Flow to the Pyongyang Regime
The salaries earned by the infiltrated workers, combined with the proceeds from cryptocurrency theft and any ransom payments, are funneled back to North Korea’s government. This revenue stream supports the regime’s banned nuclear weapons program and other illicit activities, illustrating how cybercrime has become a critical component of the country’s evasion strategy amid severe economic restrictions.
Broader Implications for the Technology Sector
The prevalence of North Korean‑led hands‑on‑keyboard intrusions signals a growing challenge for companies that rely on remote hiring and distributed workforces. Traditional security controls that focus on malware signatures are insufficient against adversaries who abuse legitimate credentials and tools. Organizations must therefore strengthen identity verification, monitor for anomalous use of administrative utilities, and implement robust multi‑factor authentication to detect and mitigate these sophisticated, human‑driven threats.
Conclusion
CrowdStrike’s findings underscore that North Korean cyber operatives have evolved from occasional nuisance actors to a persistent, financially motivated threat embedded within the fabric of global tech employment. By exploiting deepfake technology, fraudulent documentation, and the trust inherent in remote work arrangements, they siphon salaries, intellectual property, and cryptocurrency to fund a prohibited weapons program. Vigilance, enhanced vetting procedures, and continuous monitoring of privileged activity are essential for companies seeking to defend against this evolving menace.