A recent analysis by cybersecurity leader CrowdStrike revealed that North Korean cybercriminals masquerading as remote IT professionals and online job seekers constituted nearly half of all recorded “hands-on-keyboard” breaches at U.S. tech firms in the past year.

The firm’s newest annual overview of the cybersecurity environment underlines the escalating menace from North Korean agents, who have emerged as a major contributor to cyber incidents throughout the tech sector. Hackers linked to the Kim Jong Un government routinely aim at businesses and developers with plots designed to procure information and cryptocurrency to support Pyongyang’s nuclear arsenal, which is prohibited under international regulations.

CrowdStrike noted that within the timeframe detailed in the report — from April 2025 to May 2026 — the North Korean hacking coalition dubbed “Famous Chollima” was responsible for 47% of all state-sponsored efforts directed at the tech industry.

The cybersecurity firm monitors hands-on-keyboard infiltrations because they typically involve actual human cybercriminals executing harmful and stealthy cyber operations, unlike automated malware manageable by conventional security measures. These assaults usually initiate with stolen credentials, followed by the exploitation of valid tools already integrated into the target’s systems to maintain ongoing access.

Famous Chollima is recognized for impersonating tech professionals, including developers, coders, and IT personnel, applying for remote positions at U.S., European, and Asian tech firms under false identities. To achieve this, the hackers utilize AI to create live deepfake images to mimic the faces of real individuals, complemented by counterfeit identity documents like stolen passports and driving licenses to pose as American or other foreign citizens. This method is necessary due to the extensive sanctions imposed on North Korea by Western nations and the United Nations for its persistent advancements in nuclear weaponry. 

Once infiltrated, the hackers also receive compensation from the companies they breach, which is redirected to the North Korean government, all while pilfering intellectual property and other confidential corporate data. That pilfered information is often weaponized; when the operatives are ultimately apprehended, they frequently threaten to reveal what they have stolen unless the organization complies with their ransom demands.

The hackers also focus on blockchain developers with plans to acquire substantial amounts of cryptocurrency, which the Kim regime uses to bypass its extensive limitations regarding the Western financial system. North Korea has amassed billions of dollars in illicit cryptocurrency over the years, including approximately $2 billion in 2025 alone.