Amazon has intercepted over 1,800 attempts by suspected North Korean operatives to fraudulently secure remote IT roles at the company since April 2024.
The tech giant has observed a 27% quarter-over-quarter increase in such applications this year, signaling both scale and growing sophistication.
The figures were revealed by Amazon's Senior Vice President and Chief Security Officer, Stephen Schmidt, who says the threat has become more complex and widespread. Amazon's detection efforts rely on AI-powered screening layered with human verification. The models assess connections to roughly 200 high-risk entities, detect geographical mismatches, and flag application anomalies. These are further examined through rigorous background checks, credential verifications, and structured interviews.
As one of the world's largest employers with a massive global hiring footprint, Amazon has become a frontline observer of North Korea's IT infiltration strategy. The company's size, combined with the sensitivity of its internal systems and data, makes it a high-value target. Schmidt's team has noted alarming changes in the tactics used by these operatives, indicating a well-funded and adaptive threat operation.
North Korea's strategy hinges on identity theft, often involving the compromise of real US software engineers with authentic credentials. These stolen identities are then used to create credible resumes, pass hiring procedures, and receive company laptops. Schmidt highlighted that operatives are now hijacking dormant LinkedIn accounts or paying individuals to lend access to verified profiles, increasing their odds of passing initial recruiter scrutiny.
A key operational pattern involves “laptop farms,” US-based setups where company-issued hardware is shipped and operated remotely from abroad. This tactic came under scrutiny in August 2024, when the US Department of Justice charged Nashville resident Matthew Knoot with managing such a farm. Knoot allegedly hosted laptops for North Korean IT workers, who accessed them from China using remote desktop tools, defrauding US firms of over $500,000 and funneling earnings into North Korea's weapons programs.
Amazon's data shows that targets are shifting toward high-demand roles in AI and machine learning, where remote work is common and verification can be inconsistent. Meanwhile, claimed educational backgrounds have evolved, from East Asian institutions to American universities in tax-neutral states, and now to more plausible entries like California or New York-based schools. Yet inconsistencies like misaligned academic calendars or non-existent degree programs often reveal the deception.
Small but telling details also act as indicators. Amazon's investigators cite formatting anomalies such as using “+1” instead of “1” for US phone numbers as low-signal flags that gain significance when paired with other red flags.
In July 2024, cybersecurity firm KnowBe4 stopped a North Korean hacker who had nearly secured a senior software engineering role using a stolen identity. Despite passing video interviews and extensive vetting, the attacker was caught only after suspicious remote activity triggered alerts on a company-issued device. That device had been shipped to an address linked to another known laptop farm network. The attacker used advanced techniques, including malware deployment via Raspberry Pi, VoIP number masking, and AI-generated profile photos.
Leave a Reply