CrowdStrike's 2026 report traces the cluster's rise to a hiring pipeline that uses AI deepfakes and stolen IDs to land remote developer roles, then abuses legitimate tools to exfiltrate code and route salaries to a sanctioned nuclear program.
The remote-hire funnel is now a state-actor entry point. A North Korea-linked cluster CrowdStrike calls "Famous Chollima" accounted for 47% of the state-backed, hands-on-keyboard intrusions the security vendor observed against technology companies between April 2025 and May 2026, according to CrowdStrike's 2026 Technology Threat Landscape Report. That is not "47% of all hacks." It is one vendor's tally of a specific class of attack in a specific industry, and the number's real weight is what it says about how the attacker got in: a job listing, a deepfake interview, and a laptop on the company VPN.
"Hands-on-keyboard" is the part that matters. CrowdStrike uses the term for intrusions driven by human operators using legitimate tools already present in the environment, the living-off-the-land pattern that lets an attacker blend into normal administrator behavior. It is the hardest class of intrusion to catch with commodity antivirus, because there is no exotic malware signature to flag. The vendor separates it from automated malware and from supply-chain compromise, both of which North Korea-linked actors have also used in recent years. The 47%, then, is the share of one very specific bucket, and Famous Chollima is one of several DPRK-aligned clusters CrowdStrike names in the report. It is not "all of North Korea."
The tradecraft starts before the intrusion. CrowdStrike documents operators posing as remote developers, coders, and IT staff, generating real-time AI deepfake faces and pairing them with fraudulent identity documents including stolen U.S. and foreign passports and driver's licenses. The interviews are live, the faces move, the answers are good enough to pass. Once hired, the operator is issued a corporate laptop and credentials. From there the playbook is the same one defenders have been seeing for years: use the legitimate access to log into code repositories, internal dashboards, and cloud consoles, and move slowly enough not to trip a wire. Targets span U.S., European, and Asian tech companies, according to the TechCrunch security desk.
The money trail is the part that turns this from a security beat story into a hiring story. Salaries paid by the infiltrated company are routed back to the Kim Jong Un regime, alongside stolen intellectual property and, increasingly, cryptocurrency. CrowdStrike describes a separate North Korea-linked campaign that targets blockchain developers for crypto theft, and prior TechCrunch reporting has put 2025 crypto theft linked to North Korea at roughly $2 billion. The U.N. Panel of Experts, U.S. Treasury advisories, and prior FBI and DOJ indictments of North Korean IT-worker rings have all documented the salary-laundering pipeline that funds a nuclear weapons program banned under international sanctions. The job is the funding line.
When the operator is caught, the leverage shifts. CrowdStrike documents operators extorting victims by threatening to publish stolen source code or internal data unless paid, turning a successful intrusion into a second monetization event on top of the salary and the IP. The pattern has shown up across indictments of North Korean IT-worker rings over the past two years.
Two honest caveats. The 47% comes from a single major endpoint-detection vendor's annual report, drawn from its own customer base, and CrowdStrike has a commercial interest in publishing alarming threat data. And the metric excludes automated malware and supply-chain compromise, so it captures Famous Chollima's slice of one specific attack class, not the full DPRK intrusion footprint.
The question for 2026 is what the remote-hiring and security operations playbooks need to look like next. Continuous identity verification across the employee lifecycle is one shift, replacing a one-time interview check with ongoing assurance. Behavioral detection needs to flag legitimate-tool abuse at the endpoint the same way it already flags credential misuse, and contractor and remote-hire laptops have to be treated as state-actor endpoints rather than low-trust consumer devices. CrowdStrike frames the threat as growing. The structural failure sits on the defender and hiring side of the table, and that is where the gap to close actually is.