Source linked

CrowdStrike Links 47% of US Tech Hacks to North Korean Remote IT Worker Scheme

techcrunch.com@market_structure1 hour ago·Cybersecurity·1 comments

North Korean group Famous Chollima accounted for nearly half of all state-backed hands-on-keyboard intrusions at US tech companies from April 2025 to May 2026

crowdstrikefamous chollimanorth koreacybersecuritystate sponsored hackingcrypto theft

47% of all documented hands-on-keyboard intrusions targeting U.S. tech companies over the past 13 months came from a single North Korean hacking group. That's CrowdStrike's headline finding in its latest annual threat report, covering April 2025 through May 2026.

CrowdStrike tracks hands-on-keyboard intrusions specifically because they represent human attackers actively manipulating systems, not automated malware. These are the hardest to detect and the most damaging. The group behind that 47% figure, which CrowdStrike calls Famous Chollima, has refined a playbook that exploits the remote-work economy.

How Famous Chollima Infiltrates Companies

Famous Chollima operators pose as developers, coders, or IT staff and apply for remote jobs at U.S., European, and Asian tech companies. To pass identity checks, they use AI-generated deepfake images in real time, paired with fraudulent passports and driver's licenses stolen from real people. Once hired, they earn a salary that gets funneled back to the North Korean regime, all while stealing intellectual property and sensitive corporate data.

When caught, these operatives often threaten to leak stolen information unless the company pays a ransom. CrowdStrike's report notes that the initial access typically begins with stolen credentials, followed by abuse of legitimate tools already present in the target's environment to maintain persistence.

The $2 Billion Crypto Heist

Blockchain developers are a primary target. Famous Chollima has netted billions in stolen cryptocurrency over the years, with roughly $2 billion in 5 alone. The Kim regime uses these funds to bypass Western sanctions and finance its nuclear weapons program, which remains illegal under international law.

CrowdStrike's data makes one thing clear: as long as remote hiring relies on easily faked identity checks, Famous Chollima will keep collecting paychecks and stealing secrets. Expect more companies to adopt biometric liveness detection and government-backed credential verification.

Source: North Koreans behind nearly half of US tech industry hacks, says CrowdStrike
Domain: techcrunch.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Nearly a Million Passports Exposed on Open Internet - No Password Needed

Security researcher Sammy Azdoufal found roughly 1M passport photos and IDs accessible via unprotected public URLs, belonging to users of a cannabis-club management system.

84 Valid SLSA L3 Attestations TanStack Attack Blows Past Provenance

Attackers published 84 malicious npm packages under TanStack's identity with cryptographically valid SLSA Build Level 3 attestations-because the build platform itself was compromised, not the attestation chain.

ServiceNow Bug Exposed Customer Data Without Any Login Required

A bug in ServiceNow's platform let unauthenticated users access customer instances; the June 5 patch fixes it, but the exposure scope remains unknown.

Three CVEs in FortiOS, FortiProxy, and FortiSandbox Enable Remote Code Execution

CERT-FR flags arbitrary code execution and data theft across FortiOS 7.2.x/7.4.x/7.6.x, FortiPortal, FortiProxy, and FortiSandbox - patch now.

Comments load interactively on the live page.