North Korean hackers carried out nearly half of all documented state-backed cyber intrusions against U.S. technology companies during the past year, highlighting the growing scale and sophistication of Pyongyang’s cyber operations. A new cybersecurity assessment found that North Korea-linked actors were behind 47% of state-sponsored activity targeting the technology sector between April 2025 and May 2026, making them one of the most active digital threats facing global businesses.
The report identified the hacking group Famous Chollima as a major force behind these campaigns. The group allegedly used increasingly advanced tactics, including artificial intelligence-generated deepfake images and forged identity documents, to infiltrate companies. As a result, cyber operatives successfully presented themselves as legitimate job candidates and secured remote positions at organizations across the United States, Europe, and Asia.
Moreover, the hackers frequently posed as software developers, coders, and IT specialists during recruitment processes. They reportedly attended virtual interviews using fake identities and convincing digital profiles, allowing them to gain access to corporate networks and sensitive internal systems. This strategy enabled attackers to bypass traditional security barriers while blending into everyday business operations.
Once employed, the operatives allegedly sent their salaries back to North Korea while also collecting valuable corporate information. Investigators found that the stolen data often included intellectual property, confidential business records, and internal communications. In some cases, attackers reportedly used the information as leverage, threatening companies with data exposure unless ransom payments were made.
Meanwhile, cryptocurrency and blockchain companies remained key targets of North Korean cyber activity. Cybersecurity experts estimate that North Korea-linked actors stole around $2 billion in cryptocurrency during 2025 alone. The stolen digital assets are believed to help the country generate revenue and reduce the impact of international sanctions that restrict access to global financial systems.
Furthermore, researchers warned that many of these operations involve direct human-led intrusions rather than automated malware attacks. These “hands-on-keyboard” campaigns typically begin with stolen credentials and the misuse of legitimate software tools already present within company networks. Consequently, attackers can maintain long-term access, move through systems undetected, and increase the potential damage caused by cyber breaches.