North Korean Hackers Pose As IT Workers In Growing Threat To Tech Firms

A North Korean hacking group posing as remote IT workers has emerged as one of the most active threats facing global technology companies, according to a new report from cybersecurity firm CrowdStrike.

The group, tracked by CrowdStrike as FAMOUS CHOLLIMA, reportedly accounted for 47 percent of all hands-on-keyboard intrusions targeting technology companies across North America, Europe and Asia between April 2025 and March 2026.

Hands-on-keyboard intrusions are attacks in which a human operator actively controls and interacts with a compromised system, rather than relying only on automated malware. In this case, the threat is particularly difficult because the attackers are not always breaking in from the outside. In many cases, they are first getting hired.

CrowdStrike’s findings point to a growing North Korean strategy of using fake identities to secure remote software development and technology roles. Once inside an organisation, the operatives can access internal systems, source code, developer tools and company infrastructure from a position of apparent trust.

The group is understood to have targeted remote software developer roles, with particular interest in blockchain, cryptocurrency, fintech and other technology companies. After gaining access, attackers have reportedly deployed malware, stolen cryptocurrency and pursued intelligence collection.

The tactic reflects a major shift in cyber risk. Companies have long worried about hackers stealing employee credentials or exploiting software vulnerabilities. Now, they must also consider the possibility that a seemingly legitimate remote worker, contractor or developer may be operating on behalf of a sanctioned state.

North Korea has increasingly used cyber operations and fraudulent IT work to generate revenue. US and allied authorities have warned that such schemes may help fund Pyongyang’s weapons programs while giving North Korean operatives access to sensitive corporate environments.

The growth of remote work has created an opening. Technology companies routinely hire developers across borders, conduct interviews over video calls and ship laptops to remote employees or contractors. Those practices are efficient and often necessary, but they can also be manipulated by attackers using stolen identities, fake documents, AI-generated profiles and third-party facilitators.

In some schemes, company laptops are sent to addresses controlled by intermediaries outside North Korea. The devices are then configured so overseas operatives can access them remotely while appearing to be working from an approved location. This allows the worker to pass basic location checks while maintaining access to company systems.

The CrowdStrike report arrives as the broader technology sector faces intense attention from both cybercriminals and state-sponsored groups. Companies working in artificial intelligence, software, semiconductors, cloud services, blockchain and developer infrastructure are particularly attractive because they hold valuable intellectual property and trusted access into wider digital ecosystems.

The North Korean activity is part of a larger threat landscape in which state-backed and financially motivated actors are increasingly targeting technology companies. CrowdStrike also identified China-linked groups as a major espionage threat to the sector, particularly around artificial intelligence and intellectual property.

For employers, the FAMOUS CHOLLIMA findings raise urgent questions about hiring controls, contractor oversight and identity verification.

Traditional background checks may not be enough if applicants are using stolen personal information or synthetic identities. Video interviews may also be less reliable as attackers become more sophisticated with AI-assisted personas, deepfake-style presentation and rehearsed technical assessments.

Cybersecurity teams are now being urged to work more closely with human resources, legal, procurement and IT departments. The hiring process itself has become part of the security perimeter.

Companies should verify identity documents carefully, review inconsistencies in employment history, check whether multiple applicants use similar contact details or infrastructure, and monitor whether equipment is being shipped to unusual addresses or forwarding services. They should also scrutinise requests to use personal devices, remote access tools or alternative payment methods.

Once a worker is onboarded, access should be limited to what is necessary for the role. New employees and contractors should not receive broad access to production environments, code repositories, wallets, customer data or sensitive systems without clear business justification and monitoring.

Security teams should also watch for behavioural indicators, including unusual login times, remote desktop activity, multiple workers connecting through similar infrastructure, attempts to bypass endpoint controls, unexpected code access and signs that one person may be operating multiple accounts.

For Australian companies, the warning is highly relevant. Australia has joined international efforts to counter North Korean remote IT worker schemes, and local technology businesses increasingly recruit across borders. Startups, blockchain projects, software firms and professional services businesses may be especially exposed if they rely heavily on remote contractors.

The risk is not limited to large companies. Smaller firms may have weaker hiring controls, fewer security staff and less mature monitoring. That can make them attractive to operatives seeking access to code, credentials or cryptocurrency assets.

The report also highlights the growing role of AI in identity deception. Fake profiles are becoming more convincing. Written applications can be polished with generative tools. Interviews can be rehearsed or manipulated. Technical tests can be completed with AI assistance. The same technology helping legitimate workers become more productive can also help malicious actors blend in.

This does not mean remote hiring should stop. Remote work is now a normal part of the global technology economy. But it does mean trust can no longer be assumed simply because someone passed an interview, completed a coding test or provided documentation.

The most important lesson for employers is that cybersecurity no longer begins after someone joins the company. It begins before the offer letter.

North Korean IT worker schemes exploit the gap between recruitment, identity verification and internal access. Closing that gap requires better coordination across business functions, stronger onboarding controls and a willingness to treat hiring fraud as a cyber threat.

FAMOUS CHOLLIMA’s activity shows how state-backed hacking has adapted to modern work. The attacker may not always arrive as malware, a phishing email or a suspicious login. Sometimes, the attacker arrives as a developer with a polished resume, a convincing interview and a request for a company laptop.

For technology companies, that is a threat model that can no longer be ignored.

Cyber threats are no longer limited to suspicious links and obvious scams. Attackers are using fake identities, remote work loopholes and social engineering to gain trusted access to businesses.

The best defence starts with knowledge.

If you want to better understand how modern cyberattacks work, and how to protect yourself, your workplace and your digital assets, now is the time to upskill. The Hack Academy’s online training programme gives you practical cybersecurity knowledge you can apply in the real world.

Strengthen your defences, build your confidence and take control of your online security with The Hack Academy.

Photo Credit: DepositPhotos.com