North Korean Hackers Behind 50% of U.S. Tech Sector Intrusions, Insights from CrowdStrike
North Korean hackers are using AI-generated deepfake images and fraudulent documents to infiltrate U.S. tech companies as remote workers
- Incident date
- Jun 2026
- Target
- U.S. tech companies
A report by CrowdStrike reveals that North Korean operatives were responsible for 47% of state-backed cyber intrusions targeting the U.S. tech sector between April 2025 and May 2026. These hackers, identified as the group Famous Chollima, are increasingly using sophisticated deception tactics to gain access to corporate systems and sensitive intellectual property.
What happened
The group Famous Chollima systematically infiltrates U.S., European, and Asian tech firms by posing as legitimate remote IT workers, developers, and coders. To successfully bypass recruitment vetting, the hackers utilize AI to generate real-time deepfake images that mimic real individuals. These visual deceptions are paired with counterfeit identity documents, including stolen passports and driver licenses, to masquerade as foreign nationals.
Once embedded within an organization, these operatives leverage stolen credentials and existing system tools to maintain persistent access. Their primary objectives include the theft of intellectual property and cryptocurrency, which the regime uses to fund nuclear programs and circumvent international sanctions. Beyond direct data theft, these hackers collect salaries from their victimized employers, which are then funneled back to North Korea. When detected, the operatives often attempt to extort the companies by threatening to expose stolen sensitive information unless a ransom is paid.