Half. That is the number CrowdStrike dropped in its latest threat report, and it should make every CTO, every hiring manager, and every developer who has ever interviewed a remote candidate sit up straight. According to the cybersecurity firm, North Korean hackers posing as remote IT workers and recruiters have been responsible for roughly 50 percent of all attacks on the US tech industry over the past twelve months.
Not 10 percent. Not 20. Half. Let that sink in.
The Scale of the Threat
CrowdStrike’s data, published this week, paints a picture that feels almost unbelievable until you remember how long North Korea has been playing this game. The Democratic People’s Republic of Korea has spent decades turning its cyber operations into a state-sponsored revenue engine. The Lazarus Group alone has pulled off some of the most brazen digital heists in history — from the Sony Pictures hack in 2014 to the WannaCry ransomware outbreak in 2017, and more recently, the $600 million Ronin bridge theft that targeted a blockchain gaming network.
But this latest wave is different. It is not about stealing cryptocurrency or destroying movie studios. It is about infiltration at scale. DPRK operatives are not breaking through firewalls — they are walking through the front door, dressed as job applicants.
How the Scheme Works
The playbook is deceptively simple. North Korean operatives use stolen or fabricated identities to apply for remote software engineering, IT support, and DevOps positions at American technology companies. They build convincing resumes, sometimes backed by fake LinkedIn profiles and references from shell companies. Once hired, they do not immediately cause damage. In many cases, they actually perform the job for weeks or months, earning salaries that are then funneled back to the North Korean regime.
That is phase one: money laundering disguised as employment.
Phase two is where it gets dangerous. With legitimate access to corporate networks, these insiders begin to exfiltrate data, plant backdoors, or pivot to partner organizations. Because they are employees, their activity often bypasses the very security controls designed to stop external attackers. Multi-factor authentication? They have it. VPN access? They were given it. Source code repositories? They were invited.
Some operatives do not even wait for a job offer. CrowdStrike notes that DPRK hackers are also posing as recruiters, contacting real developers with fake job opportunities that serve as pretexts for credential harvesting and social engineering. If you have received a suspicious LinkedIn message about a “high-paying remote role” recently, you are not alone — and the person on the other end might not be who they claim to be.
Why Tech Companies Are Vulnerable
The remote work revolution, for all its benefits, has created a massive identity verification gap. Pre-2020, most companies would interview candidates in person, check government IDs against faces, and verify employment history through direct phone calls. Today, a video call with a fake background and a well-rehearsed script is often enough to get someone on the payroll.
Compounding the problem is the tech industry’s relentless hunger for engineering talent. Companies are hiring faster than they can vet. Background checks, which were already uneven, have become even more cursory in a market where speed-to-hire is a competitive advantage. I wrote recently about how even basic security hygiene like SSH hardening gets overlooked in the rush to ship features. Identity verification is no different.
The result? North Korea has found a revenue stream and an intelligence pipeline that costs them almost nothing to operate. A single successful placement can yield a six-figure salary, internal network access, and months of undetected reconnaissance.
What This Means for Asia and the Philippines
From my desk in the Philippines, the geopolitical angle is impossible to ignore. The Asia-Pacific region is caught in a complex web: South Korea, Japan, and the United States are deepening military and intelligence cooperation, while North Korea continues to treat cyber operations as both a weapon and a wallet. The Lazarus Group and other DPRK-affiliated threat actors have historically targeted South Korean exchanges, banks, and government systems. But their ambitions are clearly global now.
For Filipino developers and IT professionals, the implications are twofold. First, we are increasingly competing in the same global remote job market where these operatives operate. That means the vetting standards we encounter — or lack thereof — affect us directly. Second, the Philippines’ growing BPO and IT outsourcing sector makes it a potential secondary target, not because of political alignment, but because of economic value. If a DPRK operative can infiltrate a US tech firm, they can almost certainly infiltrate a firm that provides IT services to US companies.
And let us be honest: the security posture of many Philippine organizations, especially in government and small-to-medium enterprises, is not where it needs to be. Microsoft’s recent record-breaking Patch Tuesday, with 206 vulnerabilities including three zero-days, is a reminder that the attack surface is expanding everywhere. The difference between a nation-state actor and a script kiddie is not the tools they use — it is the patience they bring.
What Companies Should Actually Do
This is not a problem that gets solved by buying another endpoint detection tool. The threat is fundamentally about identity and access. Here are the practical shifts that matter:
- Verify identity, not just skills. Video interviews should include live identity verification. Government ID checks, reference verification through known company domains, and even brief probation periods with limited network access are all worth the friction.
- Segment access aggressively. New hires — especially remote ones — should not have access to production environments, customer databases, or source code repositories on day one. The principle of least privilege is not a suggestion.
- Monitor for anomalous behavior. An employee who works strange hours, accesses unusual systems, or downloads large volumes of data should trigger review, not because they are suspicious, but because the baseline is unknown.
- Audit third-party connections. If your company uses contractors, outsourcing partners, or BPOs, the risk cascades. The IronWorm supply chain attack showed how quickly threats can spread through trusted channels, and that was just malware in npm packages. Human insiders are far harder to detect.
The Bottom Line
North Korea’s cyber program is not new. What is new is the scale, the audacity, and the sophistication of using employment itself as an attack vector. When a nation-state can staff your engineering team with its own operatives, the traditional boundaries between “inside” and “outside” the network collapse.
For those of us building and managing technology in Southeast Asia, this is a wake-up call. Security is not just about patching servers or writing better code, though both matter. It is about knowing who you are letting into your virtual building. Because right now, half of the attacks on US tech are coming from people who were invited in.
And that is a statistic no one can afford to ignore.
Source: TechCrunch — North Koreans behind nearly half of US tech industry hacks, says CrowdStrike