CrowdStrike Warns That North Korean Spies Posing as Remote Workers Have Breached Hundreds of Companies

Experts from the security firm CrowdStrike have observed a notable increase in cases where North Koreans, posing as remote IT workers, have infiltrated various organizations to financially support the regime, reflecting a significant rise compared to prior years.

According to CrowdStrike’s most recent threat hunting report, the past year has seen over 320 recorded incidents—a remarkable 220% increase from the previous year—where North Koreans deceitfully secured remote developer roles within Western companies.

This operation is based on North Koreans employing fake identities, resumes, and employment histories to gain jobs and generate income for the regime. Additionally, this allows them to access sensitive information from the companies they work for, which they can later use for extortion. The ultimate objective is to finance North Korea’s sanctioned nuclear weapons program, which has reportedly generated billions for the regime to date.

While the precise number of North Korean IT workers infiltrating unsuspecting U.S. companies remains uncertain, estimates suggest it could reach into the thousands.

CrowdStrike refers to these North Korean IT operatives as “Famous Chollima,” a classification within their hacking group taxonomy. They utilize generative AI and other AI-based tools to create resumes and even modify their appearances during remote interviews using deepfakes.

Though this tactic isn’t new, North Koreans seem to be increasingly successful in securing jobs, despite sanctions that prohibit U.S. companies from hiring North Korean nationals.

CrowdStrike’s report suggests that one effective method to prevent the hiring of sanctioned individuals is to enhance identity verification processes during recruitment. TechCrunch has informally learned of some crypto-related companies asking potential hires to make critical statements about North Korea’s leader, Kim Jong Un, to detect potential spies. Candidates from North Korea are often under stringent scrutiny, making such requests impractical and likely revealing the fraudulent applicant.

Over the past year, the U.S. Department of Justice has sought to disrupt these operations by targeting U.S.-based facilitators aiding North Koreans in managing and executing their schemes. Measures taken include focusing on those operating “laptop farms,” which consist of multiple laptops set up for North Koreans to complete their tasks remotely, as if they were physically present in the United States.

In a June indictment, prosecutors disclosed that one North Korean operation had stolen the identities of 80 individuals in the U.S. between 2021 and 2024 to obtain remote jobs at over 100 U.S. companies.