North Korean Hackers Linked to Cyberattacks on US Technology Firms

May 12, Kathmandu — North Korean hackers have actively engaged in state-sponsored cyberattacks targeting American technology companies.

The multinational cybersecurity firm CrowdStrike revealed in its June 9, 2026 “2026 Technology Threat Landscape Report” that about 47 percent of major government-level cyberattacks on the US technology sector last year were attributed to North Korean hackers.

This type of cyber intrusion is known in cybersecurity as “hands-on-keyboard intrusion,” which differs from automated virus or malware attacks because hackers personally control the computers.

During these attacks, hackers behave like legitimate employees — typing on computers, opening folders, and stealing information in ways that evade detection by security systems.

Once inside, the hackers conceal their presence and remain active for extended periods. According to the report, these hackers gain access by posing as fake IT staff or online job recruiters.

They adopt a strategy of seeking “remote jobs” in American, European, and Asian technology companies.

After obtaining employment, they access internal systems to steal confidential data.

To convince companies of their legitimacy, they use AI-generated deepfake photos and videos portraying themselves as familiar developers, coders, or IT specialists.

They also utilize stolen or forged passports and driver’s licenses that verify citizenship in the US or other countries.

Previously, the extensive Sunr network was exposed for stealing US citizens’ identities to secure remote jobs for North Koreans in tech firms, resulting in the imprisonment of American citizen Christina Chipman in 2025.

CrowdStrike’s report highlights that this method has evolved to incorporate AI technologies.

The report covers activity from April 2025 to March 2026 and notes that among North Korean hacking groups, “Famous Chollima” has been the most active.

The government-sponsored and funded Famous Chollima group primarily targets the technology sector.

These hackers operate in two stages: first, stealing employee passwords or confidential information through phishing emails, fake websites, or social media; second, using those credentials to access systems and exploit authorized software and tools.

Once inside, they typically steal valuable business assets and sensitive information, often using intimidation and handcuffing tactics.

CrowdStrike indicated that these hackers particularly focus on blockchain developers who create cryptocurrency software.

In 2025, North Korean-linked groups stole approximately $200 million in cryptocurrency, with a significant theft of about $146 million occurring in February alone.

North Korean leader Kim Jong Un reportedly instructed the government to avoid using Western banking systems, and the stolen assets allegedly fund nuclear weapons and other government spending.

Reports on the financial sector from CrowdStrike show a 43 percent increase over two years in hands-on-keyboard cyberattacks on financial institutions.

Experts assert that North Korea is accelerating state-level cybercrime by providing hackers with training, infrastructure, and authorization, resulting in increasingly sophisticated and high-risk attacks.

To mitigate this threat, CrowdStrike recommends that companies thoroughly verify applicants’ documents and backgrounds. The report advises conducting live video interviews, restricting employee access, implementing comprehensive security measures, and utilizing tools capable of detecting deepfakes.

CrowdStrike is among the world’s leading cybersecurity firms. In July 2024, a minor software update glitch from the company affected 8.5 million computers worldwide, temporarily disrupting services at airports, banks, and hospitals for several hours.

The company’s report confirms that North Korean hackers are involved in nearly half of the state-related cyberattacks on the US technology sector.