Share this article:

1,800 attempts | Amazon warns HR as job applications from North Korean imposters surge

North Korea flag, Amazon building

Amazon security executives are warning HR and business leaders that remote hiring is being exploited by North Korea-linked operatives, after the company detected thousands of attempted infiltrations into its workforce.

Stephen Schmidt, Amazon’s Chief Security Officer, said the company has blocked more than 1,800 attempts by North Koreans to gain work through Amazon roles or contractors since April 2024. He said the pace of attempts has accelerated, rising an average of 27% quarter over quarter this year.

How Amazon detected the imposter

Schmidt described how a barely noticeable technical delay first exposed one case. Keystroke data from a laptop assigned to a new IT worker suggested the individual was not located in the US, as claimed. The commands took more than 110 milliseconds to reach Amazon’s systems in Seattle, rather than the tens of milliseconds expected.

“That told us the person was likely half a world away,” Schmidt said at a security event in New York City.

The individual had been hired through an Amazon contractor. Schmidt said Amazon did not directly employ any North Koreans, but the attempt still served as a warning for employers relying on remote workers and third-party hiring.

“If we hadn’t been looking for the DPRK workers, we would not have found them,” he said.

Patterns HR teams should watch for

After an alert flagged unusual behavior on the contractor’s laptop, Amazon security teams discovered the machine was being remotely controlled. The traffic was traced as far as China, Schmidt said. The device had limited system access, allowing teams time to observe activity.

When Amazon reviewed the resume and application submitted to the contractor, Schmidt said the profile matched known patterns seen in other North Korea-linked cases.

“This looks like somebody who had used the same playbook as other North Koreans that we’ve seen to get this job,” he said.

An Amazon spokesperson told Bloomberg News that the person operating on behalf of North Korea was an Arizona woman who was sentenced in July to years in prison for her role in assisting fraudulent IT workers.

Schmidt said imposters sometimes steal real identities, but more often follow repeatable patterns. These include claims of attending the same schools, employment at overseas consulting firms that are difficult to verify from the US, and struggles with American idioms or English-language articles such as “a,” “an,” or “the.”

Amazon removed the individual from its systems within days, Schmidt said. He stressed that HR teams should go beyond surface-level checks and ensure close coordination with security teams, and added that “quality security software” is essential to detect subtle warning signs, including small delays in data transmission that may signal remote control or overseas access.

Be the first to comment.

Sign up for a FREE myGrapevine account to have your say.

Share this article:

You are currently previewing this article.Create account

This is the last preview available to you for the next 30 days.

To receive our daily newsletter and access HR features & insights, create a free account today.