North Korean Hackers, Famous Chollima, Carry Out 47% of US Tech Hands-On-Keyboard Attacks

CrowdStrike said North Korean hackers are responsible for nearly half of all hands-on-keyboard cyberattacks against US technology companies, with the report naming the group “Famous Chollima” as carrying out 47% of all state-sponsored activity targeting the tech sector between April 2025 and May 2026.

“A report by CrowdStrike, released on Tuesday, revealed that over 58% of state-sponsored cyberattacks on tech companies, particularly those possessing AI assets, are emanating from China”

Benzinga

Forbes reported that FAMOUS CHOLLIMA accounted for 47% of all hands-on-keyboard intrusions targeting tech companies across North America, Europe and Asia between April 2025 and March, and that the group posed as fake IT workers while conducting “extensive” operations targeting remote software developer roles.

Benzinga

TechCrunch said CrowdStrike found North Korean hackers posing as remote IT workers and online recruiters made up about half of all documented “hands-on-keyboard” intrusions at U.S. tech companies over the past year.

The report described how Famous Chollima used AI to generate real-time deepfake images and paired them with fraudulent identity documents like stolen passports and driver licenses to pose as Americans or other foreign nationals.

TechCrunch added that once inside, the hackers stole information and cryptocurrency to fund Pyongyang’s nuclear weapons program, which is banned under international law.

CrowdStrike also warned that China-based entities accounted for more than 58% of state-sponsored targeted cyberattacks aimed at tech companies, especially their AI assets, in analysis covering events over the 12 months to March 31.

Benzinga reported that a CrowdStrike report released on Tuesday found over 58% of state-sponsored cyberattacks on tech companies emanating from China, and quoted CrowdStrike saying, “China-nexus adversaries are escalating espionage against technology organizations to steal the AI capabilities and intellectual property they cannot build fast enough on their own.”

CNBC

CNBC said CrowdStrike warned that Chinese-affiliated cyberattacks targeted government communications in Southeast Asia and “maintained persistent access” to North American tech organizations by taking advantage of vulnerabilities.

Benzinga further said CrowdStrike identified SUNRISE PANDA focusing on East and Southeast Asian tech firms, MURKY PANDA launching password-spraying attacks against hundreds of mostly U.S.-based organizations, and WARP PANDA repeatedly exploiting vulnerabilities at North American tech companies to maintain long-term access.

CNBC noted that the Cyberspace Administration of China did not immediately respond to CNBC's faxed request for comment.

Benzinga said CrowdStrike’s report suggested that U.S. restrictions on China’s access to AI training chips have impeded Beijing’s tech advancement, while also describing China’s efforts to formulate its own AI models to cut operating costs and provide nearly equivalent intelligence.

“Topline One North Korean hacking group that posed as fake IT workers accounted for nearly half of all state-sponsored attacks on tech companies, according to an annual report Tuesday from the cybersecurity firm CrowdStrike, as concerns mount about advances in AI”

Forbes

Zamin.uz reported that CrowdStrike data showed North Korean hackers used AI technologies to create real-time deepfakes and used stolen passports and driver's licenses to pose as citizens of the US or other countries to secure remote jobs at major tech companies.

Zamin.uz added that once inside a system, hackers often blackmail companies in addition to stealing intellectual property, threatening to leak stolen data if payment is not made, and that they also target blockchain developers to steal cryptocurrencies.

TechCrunch said CrowdStrike warned that the attacks generally begin with stolen passwords or credentials and then abuse legitimate tools already present in the target’s systems to maintain persistent access over time.

Le Parisien tied CrowdStrike to a separate development by saying the massive outage affecting numerous sectors and many global companies this Friday is linked to CrowdStrike, and that the American company acknowledged responsibility for the outage and said it was working to resolve the issue.