Amazon has successfully prevented more than 1800 suspected operatives linked to North Korea from applying for jobs at the company in a span of just 20 months. The e-commerce and tech giant's chief security officer, Stephen Schmidt, detailed this sophisticated threat in a recent LinkedIn post, highlighting a growing trend of state-sponsored attempts to infiltrate global corporations.
How North Korean Operatives Target Remote Tech Roles
According to Schmidt, nationals from the Democratic People's Republic of Korea (DPRK) have been increasingly attempting to secure remote technology positions at companies worldwide, with a significant focus on US firms. The primary objective is straightforward: to get hired, receive a salary, and funnel those wages back to North Korea to fund the regime's weapons programs. This is not an isolated issue for Amazon; Schmidt emphasised that this is likely happening "at scale across the industry."
Amazon reported a 27% quarter-over-quarter increase in detected DPRK-linked job applications this year alone. The company's response has been a robust, dual-layered defense system. This combines advanced AI-powered screening with thorough human verification processes.
Amazon's Two-Pronged Defense Strategy
The first layer involves an AI model that scans applications for connections to approximately 200 identified "high-risk institutions." It also flags anomalies in applications and geographic inconsistencies that might suggest fraudulent activity. The second, crucial layer is human verification. This includes comprehensive background checks, credential reviews, and structured interviews designed to catch discrepancies that machines might miss.
Schmidt, whose team sees these threats at a volume few organisations encounter, shared key insights into the evolving tactics of these operatives. Identity theft has become more calculated, with fraudsters increasingly impersonating real software engineers who have established online credibility, rather than creating fake profiles from scratch.
The Red Flags and Evolving Tactics
These operatives are employing sophisticated methods to appear legitimate. They often hijack dormant LinkedIn accounts using compromised credentials or even pay individuals for access to their existing professional profiles. There is a particular focus on high-demand roles in AI and machine learning, capitalising on the industry's rapid adoption of these technologies.
To maintain a domestic US presence, they frequently use "laptop farms"—physical setups within the United States that handle shipments and provide a local address, while the worker operates remotely from abroad. Their claimed educational backgrounds are also constantly shifting, from East Asian universities to institutions in no-income-tax states, and more recently to schools in California and New York.
However, small, seemingly trivial details often expose them. A common giveaway cited by Schmidt is how applicants format US phone numbers. Many use "+1" at the beginning instead of just "1." While insignificant on its own, when combined with other suspicious indicators, it helps paint a clear picture of fraudulent activity.
A Wider Industry and Legal Challenge
Schmidt urged other companies to be vigilant, recommending they query their own databases for patterns in resumes, emails, and phone numbers. He advised implementing identity verification at multiple hiring stages and monitoring for anomalous technical behaviour, such as unusual remote access patterns.
The US Justice Department has also intensified its crackdown on such schemes. In a related case from July this year, an Arizona woman was sentenced to 102 months in prison for her role in helping North Korean IT workers secure positions at over 300 US companies. This underscores the serious legal consequences and the coordinated effort required to combat this form of economic and security threat.
Schmidt concluded by encouraging industry-wide information sharing, stating that the more companies collaborate and disclose what they learn, the harder it becomes for these state-backed operations to succeed. He also directed anyone who identifies suspected DPRK IT workers to report them to the FBI or local law enforcement.
