A slight delay in keystrokes from a supposed U.S.-based IT worker alerted Amazon to a North Korean infiltrator accessing a corporate laptop.
The commands should have zipped from the worker’s machine to Amazon’s Seattle headquarters in under 100 milliseconds. Instead, they trickled in after more than 110 milliseconds, a subtle clue screaming “half a world away,” Amazon Chief Security Officer Stephen Schmidt revealed in an interview.
This North Korean operative, hired through a contractor, exemplified the DPRK’s brazen surge into remote IT jobs. Sanctioned by the U.S. and allies, Pyongyang uses these scams to funnel cash into weapons programs and evade isolation.
DPRK workers infiltrate roles at small firms and tech giants alike, creating legal headaches and insider threats.
Since April 2024, Amazon’s team has thwarted over 1,800 such hiring attempts, Schmidt announced at a New York security event this week. Attempts spiked 27% quarter-over-quarter this year. “Amazon didn’t hire any North Koreans directly,” Schmidt emphasized. But shipping a company laptop to a contractor proxy for DPRK operatives? That’s a stark warning for all.
Security monitoring flagged odd behavior on the systems admin’s laptop, revealing a remote control traced to China.
The machine lacked access to sensitive data, so investigators watched patiently. Cross-referencing the resume with the activity unveiled the scam. “This looks like somebody who had used the same playbook as other North Koreans,” Schmidt recalled.
The front of an Arizona woman earned a multi-year prison sentence in July for her part in a $1.7 million IT fraud ring aiding DPRK workers, per the U.S. Justice Department.
North Korean fraudsters follow predictable scripts. They fabricate histories tied to obscure overseas consultancies tough to verify from afar, often listing the same feeder schools and firms. Red flags include mangled English idioms or article usage (“a,” “an,” “the”). “If we hadn’t been looking for the DPRK workers, we would not have found them,” Schmidt warned.
Amazon expelled the impersonator within days. Schmidt urged for more thorough vetting than just LinkedIn scans: comprehensive background checks, along with strong endpoint security that detects anomalies like keystroke latency, reports Bloomberg.
This bust echoes broader DPRK tactics. As detailed in Bloomberg’s exposé on “laptop farmers”—Americans unwittingly (or not) proxying gear to Pyongyang these schemes have infiltrated U.S. firms en masse. The Justice Department recently coordinated nationwide crackdowns.
For cybersecurity pros, the lesson cuts deep. Latency analysis, behavioral monitoring, and traffic forensics aren’t just for threat hunters—they’re frontline defenses against nation-state grifters. In a remote-work era, every lag counts.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Amazon Catches North Korean IT Worker by Tracking Tiny 110ms Keystroke Delays appeared first on Cyber Security News.
