CrowdStrike Report: North Korean Hackers Accounted for 47% of State-Backed Tech Intrusions Targeting U.S. Companies
CrowdStrike’s annual report found North Korean operatives posing as remote IT workers carried out roughly half of documented hands-on-keyboard intrusions at U.S. tech companies between April 2025 and May 2026.
TechCrunchU.S. tech companies over the past year, according to CrowdStrike’s latest annual cybersecurity report. The report covers the period from April 2025 to May 2026.
During that time, the hacking group CrowdStrike labels Famous Chollima accounted for 47% of all state-backed activity targeting the tech sector. , European, and Asian companies under false pretenses. They use AI-generated real-time deepfake images paired with stolen passports and driver’s licenses to impersonate applicants.
Once hired, the hackers receive salaries that are funneled back to the North Korean regime. They also steal intellectual property and sensitive corporate data. Attacks typically begin with stolen passwords or credentials, followed by abuse of legitimate tools already present in the target systems.
The operatives frequently target blockchain developers to steal cryptocurrency. When discovered, the hackers often threaten to expose the stolen information unless the company pays a ransom. North Korea netted some $2 billion in stolen crypto during 2025 alone.
CrowdStrike tracks hands-on-keyboard intrusions because they represent real human operators conducting malicious activity that automated malware tools often miss.
