North Korean hackers: half of tech attacks in 2026

The CrowdStrike Report: The Numbers Redefining the Threat

In June 2026, TechCrunch reported on CrowdStrike's findings on one of the most underestimated phenomena in global cybersecurity. North Korean actors are responsible for approximately 50% of the cyberattacks recorded in the tech sector over the past twelve months. This is an extraordinary share, far exceeding that attributed to other state-sponsored groups.

Furthermore, the geographical scope of the threat has expanded. Campaigns no longer only target US companies. In fact, Europe and Asia are explicitly among the priority targets. Consequently, the issue directly enters the agenda of Italian SMEs operating in tech, advanced manufacturing, and digital services.

The documented attack vectors are primarily two. The first concerns remote IT workers who infiltrate organizations by posing as legitimate freelancers or contractors. The second involves fake recruiters who contact employees of target companies to steal credentials or install malware. Therefore, the threat is not purely technical: it is social and organizational.

Anatomy of Infiltration: How North Korean Groups Operate

To understand the scope of the risk, it's useful to examine documented operational techniques. North Korean groups — often categorized under the umbrella Lazarus Group and affiliated clusters — combine advanced social engineering with high technical skills. In particular, they exploit global remote working platforms to insert themselves as employees or collaborators.

According to the analysis of Mandiant (Google Cloud), these operators use false identities built over time, with credible portfolios and verifiable references. Thus, they bypass the standard checks of many companies. Once inside, they exfiltrate data, install backdoors, or sabotage critical systems.

Also relevant is the tactic of fake recruiters. Through LinkedIn and other professional platforms, they contact engineers and developers with attractive job offers. Subsequently, they send infected files disguised as technical tests or contract documents. Despite this, many organizations have not yet updated their onboarding and selection protocols to include adequate security checks.

Why are Italian SMEs not immune

There is a widespread perception among Italian small and medium-sized enterprises: «we are too small to be a target.» This belief is, in fact, dangerous. In reality, North Korean groups do not necessarily seek large immediate financial spoils. They often aim to build persistent access positions, to monetize or use as a bridgehead toward larger supply chains.

Therefore, an Italian tech SME that collaborates with European or American multinationals automatically becomes a potentially weak link. Likewise, companies that hire developers through international platforms—Upwork, Toptal, LinkedIn—are exposed to the risk of infiltration documented by CrowdStrike.

Furthermore, the Italian context presents aggravating specificities. The culture of verifying digital identities is still poorly structured. Remote onboarding processes rarely include in-depth checks. Additionally, training for non-technical staff on social engineering topics remains insufficient in most SMEs.

For this reason, we at SHM Studio We believe cybersecurity should be integrated into the overall digital strategy of businesses, not treated as a separate issue delegated exclusively to IT.

Strategic Reading: Beyond the Technical Perimeter

The phenomenon described by CrowdStrike requires reflection that goes beyond firewalls and antivirus software. According to the Gartner Cybersecurity Framework, the most exposed organizations are those that have not aligned HR and operational processes with cybersecurity policies. Therefore, the problem is systemic.

In particular, three areas are critical for Italian SMEs:

• Digital identity management: who enters the organization, with what credentials, and with what level of access.
• Remote hiring processes: Physical identity verification, structured video onboarding, reference checks through independent channels.
• Safety culture Continuing education for all employees, not just technical teams.

Furthermore, the dimension of digital reputation is often overlooked. A company compromised by a state-sponsored actor suffers damage that goes far beyond data loss: credibility with customers, partners, and investors is eroded in a way that is difficult to reverse.

Operational implications: what to do concretely

Translating risk awareness into concrete actions is the most difficult step for many SMEs. However, there are achievable measures even without an enterprise budget.

First of all, it is necessary to review the identity verification processes for remote collaborators. This includes mandatory video calls with identification documents, reference checks through direct channels, and the use of certified background check tools.

Subsequently, the principle must be implemented least privilegeeach collaborator only accesses the resources strictly necessary for their role. Consequently, any compromise remains contained and does not spread to the entire infrastructure.

Furthermore, training on phishing and social engineering must become periodic and mandatory. Attack simulations—phishing simulations—are effective and relatively inexpensive tools. Finally, the adoption of solutions for Multi-Factor Authentication (MFA) On all critical systems, the measure with the best cost-benefit ratio available today remains.

On the digital presence front, integrated AI solutions che SHM Studio develops for SMEs also include monitoring and anomaly detection components applicable to digital workflows. Similarly, a Secure and up-to-date web architecture reduces the exposed attack surface.

The still-open construction site: what's missing in the Italian debate

The Italian public debate on cybersecurity is still missing a fundamental element: the explicit connection between cybersecurity and digital competitiveness. Often, the two conversations happen in separate silos. However, a company that suffers a significant breach doesn't just lose data; it loses competitive positioning, contracts, and trust.

Therefore, cybersecurity should be part of conversations about digital marketing, on, on the SEO and on overall digital transformation. It's not a separate topic. It's an enabler for any sustainable digital growth strategy.

Among other things, the platforms on which SMEs build their visibility — from LinkedIn to the systems Google Ads — they are also documented attack vectors. Therefore, those managing these platforms must be aware of the associated risks.

Finally, the Strategic copywriting and institutional communication can play an active role in building a safety culture: clear messages, understandable policies, effective internal communication. These tools are part of a healthy digital ecosystem.

Outlook 2027-2028: The Threat Evolves

The projections for the next two years are not reassuring. In fact, North Korean groups are integrating generative artificial intelligence tools to make fake identities even more believable. Deepfake videos, synthetic profiles, and automated conversations will further lower detection barriers.

According to the analyses of MIT Technology Review, the “infiltrated IT worker” model is destined to scale significantly. Consequently, SMEs that do not structure their verification processes today will find themselves in an increasingly difficult position in the 2027-2028 period.

For this reason, investing now in secure processes, training, and architectures is not a cost: it is a form of protection of the digital capital built over time. Those who wish to delve deeper into these topics or assess their exposure can Contact the SHM Studio team for a consultative comparison. Further resources and insights are available in the SHM Studio Blog.