A new report by cybersecurity giant CrowdStrike found North Korean hackers posing as remote IT workers and online recruiters made up about half of all documented “hands-on-keyboard” intrusions at U.S. tech companies over the past year.
The company’s latest annual report on the cybersecurity landscape highlights the growing threat from North Korean operatives, which have become a significant source of cyber intrusions across the tech industry. Hackers associated with the Kim Jong Un regime continuously target companies and developers with schemes aimed at stealing information and cryptocurrency to fund Pyongyang’s nuclear weapons program, which is banned under international law.
CrowdStrike said that during period covered by the report — April 2025 to May 2026 — the North Korean hacking group that the company calls “Famous Chollima” accounted for 47% of all state-backed activity targeting the tech sector.
The security giant keeps track of hands-on-keyboard intrusions because they typically represent real human hackers conducting malicious and evasive cyber activity, rather than automated malware that traditional security tools can catch. These attacks generally begin with stolen passwords or credentials, followed by the abuse of legitimate tools already present in the target’s systems to maintain persistent access over time.
