Amazon's chief security officer, Stephen Schmidt, revealed how the company blocked over 1,800 suspected North Korean operatives from securing remote IT jobs since April 2024. These agents aimed to funnel salaries back to Pyongyang's weapons programs, bypassing sanctions through stolen identities and sophisticated tactics. Amazon detected a 27% quarter-over-quarter rise in such applications in 2025, using AI screening combined with human verification to spot subtle red flags.
North Korean operatives have evolved their strategies, targeting high-demand AI and machine-learning roles at U.S. firms. They hijack dormant LinkedIn profiles, pay legitimate engineers for credential access, or impersonate real software developers to build credible online presences. Educational claims often shift—from East Asian universities to no-tax U.S. states, and lately California or New York schools—frequently listing degrees from institutions without the claimed majors or mismatched graduation dates.
Amazon's defense relies on AI models scanning nearly 200 high-risk institutions, résumé anomalies, and geographic mismatches, followed by rigorous background checks and interviews. Human reviewers caught one operative via keystroke delays from a remotely controlled U.S. laptop in a "laptop farm"—facilities where locals receive company hardware but allow overseas access. Phone number formatting stands out too: fraudsters use "+1" prefixes uncommon among actual U.S. residents.
These "laptop farms" maintain a domestic IP footprint while operatives work from abroad, evading location checks. U.S. authorities have cracked down, sentencing an Arizona woman to over eight years in July 2025 for running farms that netted $17 million for North Koreans across 300+ firms. Schmidt warns this threat scales industry-wide, urging multi-stage identity checks and device monitoring.
Schmidt calls on employers to analyze HR data for patterns in emails, IPs, and universities, then report suspicions to the FBI. As remote work persists, these small details—pieced together—form a critical barrier against regimes turning corporate payrolls into sanction-busting revenue streams. Sharing tactics, he says, strengthens collective defenses in cybersecurity.
