The first red flag wasn’t a suspicious login, a strange IP address, or a breached database.
It was a delay—barely a flicker on a graph. A keystroke that took just over 110 milliseconds to reach Amazon’s systems, when it should have arrived in a fraction of that time.[1]
On a wall of monitors in an Amazon security operations center, that tiny hiccup stood out like a heartbeat skipping a beat. To most people, 110 milliseconds is nothing. To security specialists watching for the faintest sign of deception, it was a story begging to be told.
The Worker Who Wasn’t Who He Said He Was
On paper, the sysadmin looked perfect: a U.S.-based remote IT worker with a clean résumé, solid references, and the kind of experience any big tech company would want.[1]
But behind that façade, investigators say, was something else entirely: an imposter linked to North Korea, part of a wider push by the DPRK (Democratic People’s Republic of Korea) to infiltrate Western companies, earn foreign currency, and sometimes steal data along the way.[1][2]
Amazon’s team started digging. Why were his keystrokes lagging more than 110 milliseconds, when typical U.S. workers clocked in at a few dozen?[1] Was he really where he claimed to be? Or were his keystrokes bouncing across continents before landing inside Amazon’s network?
The answer, according to people familiar with the case, was chilling: he was not in the United States at all.
The Hidden Economy of North Korean “Remote Workers”
For years, North Korea has quietly built a shadow workforce of tech professionals who apply for remote IT jobs using stolen or rented identities, often from the U.S. or other Western countries.[2][4]
They pose as freelancers or full-time hires, get access to real company systems, and then send their paychecks—and sometimes stolen intellectual property—back to the regime.[2][4] This money helps fund weapons programs, cyber units, and a government cut off from much of the global economy.[4]
According to Amazon’s Chief Security Officer, Stephen Schmidt, the company has blocked more than 1,800 attempts by North Korean operatives to secure IT roles since April 2024.[1][2][3] And the problem isn’t slowing down: Amazon has seen a 27% quarter-over-quarter increase in these attempts in 2025 alone.[1][3]
“This isn’t a one-off,” Schmidt has warned. “It’s a sustained, industrial-scale effort to get inside our systems—and everyone else’s, too.”[1][2][3]
How a Few Milliseconds Became a Smoking Gun
So how do you catch someone who has a clean background, a realistic LinkedIn profile, and passes a technical interview?
You watch how they move through the network—literally.
Amazon’s security team uses telemetry: detailed technical measurements of how a user’s device behaves.[1] One of those measurements is keystroke latency—how long it takes for a key press on a worker’s keyboard to reach Amazon’s systems.
For a genuine U.S.-based worker on a stable internet connection, that data typically travels in just a few tens of milliseconds.[1] But when those inputs are relayed through multiple networks—say, from a computer inside North Korea, bouncing through foreign VPN servers—the signal slows down.
In this case, the lag consistently clocked at more than 110 milliseconds.[1] That might still sound fast, but at scale, across thousands of remote workers, it looked wrong enough to trigger a deeper investigation.
What started as a small anomaly became the first breadcrumb in a trail that led to an impostor masquerading as an American sysadmin—and, investigators say, back to North Korean networks.
A Human Story Inside a Global Scheme
Imagine Emma, a mid-level manager at a mid-sized U.S. software firm. She’s stressed, overworked, and desperate to fill an open DevOps role before a big product launch.
A recruiter sends over a polished candidate: “David,” a supposed U.S. citizen with glowing references, a great GitHub profile, and a convincing video interview. His rates are competitive. He can start immediately.
He works nights. He prefers text over video calls. His camera is always “broken.” But his tickets close fast, his code works, and in the crunch, Emma is just relieved someone competent is finally on the team.
Months later, she gets a call from law enforcement. “David,” they tell her, is believed to be part of a North Korean IT worker network. The laptop she authorized gave him access to production systems, internal documentation, and private customer data.
Emma thought she was hiring talent. In reality, she had unknowingly plugged her company into a geopolitical scheme.
The Global Response: Playing Catch-Up
Governments are no longer treating this as just “freelance fraud.”
U.S. authorities have charged North Korean nationals for schemes to infiltrate companies as remote workers and steal nearly $1 million in cryptocurrency, as well as running fake job application platforms to target major AI companies.[2] In another case, an Arizona woman was sentenced to eight years in prison for helping North Koreans steal U.S. identities to secure remote IT roles worth an estimated $17 million.[2]
Security firms have documented entire North Korean remote worker networks, complete with handlers, money mules, fake recruiters, and layers of shell companies.[4] Their goal: funnel hard currency and sensitive data back to Pyongyang, while staying invisible inside the global remote-work boom.[2][4]
Yet Amazon’s Schmidt is blunt: the main reason they’re catching so many is because they are actively looking.[1] “If we hadn’t been looking for the DPRK workers,” he has said, “we would not have found them.”[1]
That implication is stark: many companies are not looking—and may already be compromised.
What’s Next / Could It Happen Again?
This won’t just happen again; it is happening—across tech, finance, healthcare, and any industry that hires remote IT talent.
As AI jobs and machine learning roles become more valuable, North Korean operatives are increasingly targeting them for both money and access to sensitive data.[2]
Over the next few years, expect to see:
- More companies quietly adding latency and behavior analytics to their security stack.
- Governments tightening identity verification for remote workers.
- Increased public exposure of fake profiles, agencies, and job platforms tied to state-backed actors.[2][4]
But the deeper question lingers:
In a world built on remote work and global talent, how do you really know who’s on the other side of the screen—and what they’re working for?
FAQ
Q1: What is the North Korean infiltrator Amazon case about?
A North Korean-linked impostor allegedly posed as a U.S.-based sysadmin at Amazon and was uncovered after unusual keystroke latency triggered a security investigation.[1]
Q2: How did Amazon detect the infiltrator?
Amazon monitored keystroke timing and noticed more than 110-millisecond delays, inconsistent with a typical U.S. remote worker, which prompted deeper review and exposure of the impostor.[1]
Q3: Why is North Korea infiltrating remote IT jobs?
North Korean IT workers use fake or stolen identities to secure remote roles, earning foreign currency and sometimes stealing data to support regime funding and cyber operations.[2][4]
Q4: How many North Korean attempts has Amazon blocked?
Amazon’s CSO reports that the company has identified and blocked over 1,800 North Korean infiltration attempts since April 2024, with a 27% quarter-over-quarter rise in 2025.[1][2][3]
Q5: Can this happen to smaller companies, too?
Yes. Analysts warn that any organization hiring remote IT or developer roles—especially via online platforms—is a potential target if they lack strong identity and behavior-based security checks.[2][4]
Q6: How can companies protect themselves from North Korean IT infiltration?
Experts recommend strict identity verification, behavioral monitoring (including latency and access patterns), limited system privileges, and routine audits of remote accounts.[2][4]
Q7: Is this only an Amazon problem?
No. Amazon is unusually proactive and vocal about these threats, but intelligence and security reports show similar North Korean remote-worker schemes targeting multiple global tech and AI firms.[2][4]