North Korean hackers pose as remote workers to target tech companies
North Korean operatives are slipping into U.S. tech firms as remote workers, then using that access to steal data, paychecks and leverage.

North Korean operatives are increasingly entering U.S. tech companies through the front door, posing as remote workers and online recruiters rather than relying only on malware. CrowdStrike said the campaign accounted for roughly half of the documented hands-on-keyboard intrusions aimed at U.S. tech firms over the past year, a sign that real people, not just automated tools, are driving some of the most disruptive breaches.
The company said the North Korean group it labels Famous Chollima made up 47 percent of all state-backed activity targeting the tech sector. The intrusions often start with stolen credentials, then move through legitimate tools already inside a victim’s environment, allowing attackers to blend in, stay hidden and maintain access. In practice, that means the danger is not limited to firewalls and endpoints. Hiring systems, identity checks and onboarding workflows have become part of the security perimeter.

CrowdStrike said the operators use fake identities to apply for remote jobs at companies in the United States, Europe and Asia. Once inside, they can collect a salary, steal intellectual property and use their access as cover for espionage or extortion. The company also said the group is increasingly using AI to generate real-time deepfake images and fraudulent identity documents, including stolen passports and driver licenses, making it harder for recruiters and security teams to spot impostors before they are hired.
The threat is tied to North Korea’s need to raise money under sanctions. CrowdStrike has linked the regime’s cyber activity to cryptocurrency theft and said the broader effort has generated billions of dollars in illicit gains over time. In a financial-services report released May 14, 2026, the company said DPRK-nexus adversaries stole $2.02 billion in digital assets in 2025, a 51 percent increase from the year before. It also said hands-on-keyboard intrusions against financial institutions rose 43 percent globally and 48 percent in North America.
CrowdStrike’s wider 2026 Global Threat Report, published February 24, 2026, said AI-enabled attacks jumped 89 percent year over year and the average eCrime breakout time fell to 29 minutes. The company said it tracks more than 280 named adversaries, underscoring how quickly these tactics are spreading across industries and geographies.
Its adversary profiles add more context. Famous Chollima is tied to North Korea-linked insider activity, while Labyrinth Chollima has been active since at least 2009 and is assessed by CrowdStrike to be likely affiliated with Bureau 121 of North Korea’s Reconnaissance General Bureau. CrowdStrike said Labyrinth Chollima has evolved into three specialized subgroups since 2018, a reminder that these operations are organized, adaptive and built to move with the market.
The warning for U.S. companies is clear: HR vetting is now cyber defense. If identity proofing is weak, the attack surface starts before a new hire ever gets a laptop.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?


