CrowdStrike: North Koreans drove about half of hacks in last 12 months
If your security roadmap still assumes “human error,” this CrowdStrike update says you are budgeting for the wrong enemy.
CrowdStrike says North Korean hackers, posing as remote IT workers and recruiters, accounted for about half of all attacks over the past 12 months across the U.S., Europe, and Asia. For decision-makers, that scale changes how urgently boards should treat identity access, remote hiring risk, and attack resilience.
CrowdStrike reports that North Korean hackers, posing as remote IT workers and recruiters, accounted for about half of all attacks over the past 12 months. That is not a niche threat or a “best effort” category. It is roughly half of the attack volume, and it is showing up across the U.S., Europe, and Asia.
This matters immediately because the attackers are not only targeting software vulnerabilities in the dark. They are blending in with the way companies actually operate, using impersonation tactics that look plausible to employees and teams. When threat actors can convincingly present themselves as remote IT staff or as recruiters, they can pressure the human side of security, not just the technical side. And if that pattern represents about half of recent attacks, the implication is hard to dodge: a big portion of your risk is social engineering plus identity and access, executed at a multinational scale.
To understand why this hits boards and executives so directly, you have to zoom out to how cyber defenses are funded and measured. Many organizations historically optimized for preventing known malware or blocking specific exploit classes. But if attackers are spending their effort on impersonation, the game shifts toward controls that stop the wrong person from getting the right access. That can include tightening how remote support is requested and authenticated, how onboarding is verified, how credential use is monitored, and how “urgent” requests are handled. The threat is not theoretical. It is actively surfacing in the operational routines of distributed workforces.
The CrowdStrike framing also raises a second order issue: remote work and distributed hiring are not just productivity stories. They are also an attack surface. Recruiter impersonation, especially, targets workflows that are time sensitive and relationship driven. Companies move quickly when they are hiring. People respond to messages quickly when they think they are coordinating background checks, interviews, IT onboarding, or contract work. Attackers that can mirror those patterns effectively can compress the time window defenders have to detect and respond.
There is also a governance angle. When a single actor, or at least a single state linked threat group, accounts for such a large share of attacks over a defined period, boards tend to ask different questions. Not “Are we protected against the latest exploit?” but “Do we have assurance that our people, processes, and access pathways hold up when the attacker is patient and well resourced?” That means incident readiness, not just incident prevention. It means clear escalation routes when employees see suspicious remote IT activity. It means the ability to quickly validate who requested what, when, and why.
For decision-makers, the practical interpretation is that your risk model should reflect the proportion of real-world attack activity. If about half of attacks over the past 12 months trace back to North Korean hackers using remote worker and recruiter impersonation, then defenses that only address low level hygiene or generic awareness training are unlikely to be enough. You also need controls that work under pressure, with people who may not be security specialists. In other words, security has to function as a system, not as a poster on a wall.
Finally, the cross region aspect is a reminder that cyber risk does not respect organizational boundaries. CrowdStrike points to U.S., European, and Asian companies, which suggests these tactics are scalable and repeatable across different regulatory and cultural environments. That affects everyone with multinational vendors, global payroll, or shared services. If your organization relies on remote contractors or centralized IT help desks, or if you operate in jurisdictions with different incident reporting norms, the “half the attacks” statistic should still inform your internal posture. The stakes are operational continuity, brand trust, and the speed with which you can contain and recover when impersonation leads to access or action.
In short, CrowdStrike is describing a threat that is both large and human centered. North Korean hackers, posing as remote IT workers and recruiters, accounted for about half of attacks over the past 12 months. For executives, the question is no longer whether impersonation is a risk. The question is whether your controls, verification steps, and incident readiness are built for a world where the impersonation attacker is showing up at scale.
This story's Key Insights and Take-aways are locked.
Create a free account to unlock Executive Actions for one credit.
Register to UnlockAlways free for Executives Club members. Join the Club
More in Technology
Apple TV and Google TV Streamer enable Thread 1.4 credential sharing
tvOS 27 developer beta and a Google TV Streamer update move Thread Border Routers toward joining existing Thread networks.
OpenAI says China-linked bots used ChatGPT to attack US data centers
A suspected influence operation tried to sour opinion online, but OpenAI says it never broke out meaningfully.
DiffusionGemma runs 4x faster than Gemma in parallel text generation
Google DeepMind’s open model changes the “token-by-token” default and hits local GPUs with real speed gains.