Amazon recently uncovered a North Korean IT worker infiltrating its corporate network by tracking a tiny 110ms delay in keystrokes, highlighting a growing threat in remote hiring and cybersecurity. The anomaly, revealed by Amazon’s Chief Security Officer Stephen Schmidt, pointed to a worker supposedly based in the U.S. but actually operating from thousands of miles away.
The infiltration occurred when a contractor hired by Amazon shipped a company laptop to an individual later found to be a North Korean operative. Commands sent from the laptop to Amazon’s Seattle headquarters typically take less than 100 milliseconds, but these commands took over 110 milliseconds—a subtle clue that the user was located far from the U.S.. This delay signaled that the operator was likely in Asia, prompting further investigation.
Since April 2024, Amazon’s security team has blocked more than 1,800 attempts by North Korean workers to infiltrate its workforce, with attempts rising by 27% quarter-over-quarter in 2025. The North Korean operatives often use proxies and forged identities to access remote IT jobs, funneling earnings into the DPRK’s weapons programs and circumventing international sanctions.
Security monitoring revealed that the compromised laptop was being remotely controlled from China, though it did not have access to sensitive data. Investigators cross-referenced the suspect’s resume with system activity and identified a pattern consistent with previous North Korean fraud attempts. Schmidt noted that these operatives often fabricate employment histories tied to obscure consultancies, reuse the same feeder schools and firms, and display telltale signs such as mangled English idioms.
The front in this case was an Arizona woman who was sentenced to multiple years in prison for her role in a $1.7 million IT fraud ring that helped North Korean workers gain access to U.S. corporate networks. Schmidt emphasized that Amazon did not directly hire any North Koreans but warned that shipping company laptops to contractor proxies can create significant risks.
This incident underscores the importance of thorough background checks and advanced endpoint security for remote workers. Latency analysis, behavioral monitoring, and traffic forensics are now essential tools for detecting nation-state threats in the remote work era. Cybersecurity professionals are urged to go beyond basic vetting—such as LinkedIn scans—and adopt robust anomaly detection to protect against sophisticated grifters.As North Korean fraud tactics continue to evolve, companies must remain vigilant. Every lag, every odd behavior, and every unverified resume could be the first sign of a much larger threat hiding in plain sight.