CrowdStrike 2026 Global Threat Report: China Seeks to Steal AI Technology It Cannot Develop Domestically

Note: This is a translated summary of a press release originally issued in the U.S. on June 9, 2026.

CrowdStrike (NASDAQ: CRWD) today released the 'CrowdStrike 2026 Global Threat Report on the Technology Sector,' revealing that China-linked adversaries are escalating cyber espionage against technology companies to steal AI capabilities and intellectual property that they cannot develop at the same pace domestically. The world’s most valuable AI assets are concentrated in technology firms, making this sector the most targeted industry globally. Over 58% of nation-state targeted intrusions against the tech sector originate from China-linked actors.

Simultaneously, North Korea-linked attackers are accelerating illicit IT worker schemes to generate revenue for their regime. Cybercrime (eCrime) actors are weaponizing AI, turning the ecosystem that supports AI development into an attack vector. This report highlights how innovation itself—what makes technology valuable—is now the primary target of adversaries.

Key findings from the CrowdStrike Global Threat Report on the Technology Sector:
Based on frontline intelligence from CrowdStrike Counter Adversary Operations, which tracks over 280 identified threat actors, the report reveals:

China-linked actors steal technology to support national AI ambitions: Groups including MURKY PANDA, MUSTANG PANDA, OVERCAST PANDA, SUNRISE PANDA, and WARP PANDA are targeting the technology sector more than any other industry. The MURKY PANDA password-spraying campaign alone has impacted over 340 U.S.-based organizations.

North Korea uses AI-generated personas to infiltrate tech firms: FAMOUS CHOLLIMA leverages AI-generated personas and U.S. front companies to secure remote IT positions at technology firms, accounting for 47% of all nation-state interactive intrusions into the sector and funneling illicit proceeds directly into the regime’s weapons development programs.

Cybercriminals accelerate extortion-focused access: Financially motivated attacks account for 65% of all interactive attacks against the technology sector. Access to tech firms sold by initial access brokers has reached 277 instances—an increase of approximately 30%. Meanwhile, big-game hunting actors have publicly listed 572 technology companies on extortion leak sites.

eCrime groups weaponize AI to scale attacks: Attackers are using AI-generated scripts to steal credentials and erase forensic traces at machine speed, drastically reducing the time defenders have to respond. In the broader eCrime landscape, actors are exploiting the rapid adoption of AI. For example, Skrawl, a new macOS information-stealing tool, is distributed through fake OpenClaw browser extensions and counterfeit download sites impersonating legitimate AI tools.

Attackers infiltrate the developer supply chain: STARDUST CHOLLIMA compromised the Axios NPM package, downloaded over 100 million times per week. This may have affected millions of users and indicates contamination of the open-source supply chain. Separately, prior to CrowdStrike’s takedown of the Glassworm botnet, malware operators compromised 350 GitHub repositories, injecting malicious code into JavaScript and Python projects to target the software development ecosystem.

Adam Meyers, Senior Vice President of Counter Adversary Operations at CrowdStrike, stated:

'Technology companies produce the world’s most valuable and most targeted assets. Every AI breakthrough simultaneously creates competitive advantage and a new attack surface. China is conducting cyber espionage as industrial policy to close its AI technology gap, demonstrating that the target is AI capability itself. Whether you’re developing or adopting AI, security must be built in from the start.'

Additional Resources:

Download the CrowdStrike 2026 Global Threat Report on the Technology Sector

Listen to the 'Threat Actor Portal' podcast for insights on threat actors and recommended mitigations to strengthen your security posture.

For more information, visit our blog or website.

About CrowdStrike
CrowdStrike (NASDAQ: CRWD) is a global leader in cybersecurity, redefining security for the modern enterprise with a world-class, cloud-native platform that protects critical areas of enterprise risk, including endpoints, cloud workloads, identity, and data.

The CrowdStrike Falcon® platform combines the CrowdStrike Security Cloud with advanced AI to deliver ultra-fast detection, automated protection and response, elite threat hunting, and prioritized vulnerability visibility by leveraging real-time indicators of attack (IOAs), threat intelligence, evolving adversary tactics, and rich telemetry from across the enterprise.

The Falcon platform features a single lightweight agent architecture built in the cloud, enabling rapid and scalable deployment, superior protection and performance, reduced complexity, and immediate value.

CrowdStrike: We stop breaches.

Learn more: https://www.crowdstrike.com/
Follow: Blog | X | LinkedIn | Instagram
Start your free trial: https://www.crowdstrike.com/products/trials/try-falcon/

© 2026 CrowdStrike, Inc. All rights reserved. CrowdStrike and CrowdStrike Falcon are trademarks of CrowdStrike, Inc., registered in the U.S. and other countries. CrowdStrike may use trademarks or service marks of third parties to identify their products or services for descriptive purposes only.