WASHINGTON — A major shift in cybersecurity threats has emerged as North Korean state-sponsored hackers increasingly pivot from external network breaches to sophisticated "insider" infiltration. By exploiting artificial intelligence (AI) and the rise of remote work, these actors have successfully penetrated some of the top technology companies in the United States.

According to the latest report by global cybersecurity firm CrowdStrike, North Korean hacking groups, most notably "Famous Chollima," accounted for a staggering 47% of all state-sponsored "hands-on-keyboard" cyberattacks targeting tech companies between April 2025 and May 2026. Unlike automated malware, hands-on-keyboard attacks involve human hackers actively operating within a compromised system over an extended period.

The primary tactic deployed by these operatives involves employment fraud. Posing as highly skilled IT developers or software engineers, North Korean hackers apply for remote positions at tech firms across the U.S., Europe, and Asia. To bypass stringent hiring protocols, they utilize stolen passports, forged driver's licenses, and generative AI-driven deepfake technology, allowing them to pass live video interviews by altering their faces and voices in real time.

Once hired, these covert operatives gain legitimate internal access codes. They not only draw regular corporate salaries to fund the regime but also exfiltrate sensitive data and proprietary intellectual property. In some instances, they have even blackmailed their employers, threatening to leak stolen data unless cyber ransoms are paid.

Cryptocurrency and blockchain firms remain prime targets. By infiltrating these sectors, North Korean operatives have stolen billions of dollars in digital assets to circumvent international sanctions. CrowdStrike estimates that the regime pocketed approximately $2 billion through crypto-thefts in 2025 alone.

The scale of this threat has put both tech giants and U.S. law enforcement on high alert. Amazon revealed it has blocked over 1,800 North Korean-linked applicants since 2024. Meanwhile, U.S. authorities have cracked down on domestic accomplices running "laptop farms"—facilities inside the U.S. where corporate laptops are hosted and remotely controlled by illicit personnel based overseas.

Cybersecurity experts warn that generative AI has fixed previous vulnerabilities in North Korean operations, such as poor English grammar or clumsy identity verification, making the scams highly scalable and precise. The report concludes that traditional firewalls are no longer sufficient. As the cyber battlefield shifts from breaching networks to exploiting human trust, corporate human resources and hiring systems have officially become the new frontline of national security.