Hundreds of job applications from suspected North Korean operatives have been blocked by Amazon, according to the U.S. tech giant's chief security officer, amid growing concerns over cyber scams connected to Pyongyang.
“Their objective is typically straightforward: get hired, get paid, and funnel wages back to fund the regime’s weapons programs,” Stephen Schmidt wrote in a LinkedIn post on Friday, adding that applicants were using fake or stolen identities to pursue remote IT jobs in the U.S. and worldwide.
“We’ve stopped more than 1,800 suspected DPRK operatives from joining since April 2024,” he said, using the acronym for the secretive communist state’s official name, the Democratic People’s Republic of Korea. “We’ve detected 27% more DPRK-affiliated applications quarter over quarter this year,” he added.
The fraud was detected by Amazon's AI-powered application screening system combined with manual verification by its staff, he said.
Schmidt said that the agents often use so-called “laptop farms” — computers physically based in the U.S. but operated remotely from abroad — to conceal their true locations.
In June, the Department of Justice said it uncovered 29 illegal “laptop farms” across the U.S. which were being used by North Korean IT workers.
Those cases involved U.S. based individuals who created fraudulent companies and "hosted laptop farms," giving North Korean agents remote access into U.S. victim company-provided laptop computers, the DOJ said in a news release at the time.
“These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs,” Assistant Attorney General John A. Eisenberg of the Department's National Security Division was quoted as saying in the release.
The following month, a woman from Arizona was sentenced to more than eight years in prison for running a laptop farm that helped North Korean IT workers get remote jobs at over 300 U.S. companies.
The scheme generated more than $17 million in illicit revenue for her and Pyongyang, the DOJ said in a statement at the time.
NBC News did not receive an immediate response when it reached out to the North Korean Embassy in London for comment on Tuesday.
Schmidt wrote in his post that there are numerous other strategies used by fraudulent workers which are likely operating at scale across the whole industry.
As one of the world’s largest employers, Amazon’s experience of large scale cyber threats “gives us unique visibility into how these operations evolve and a responsibility to share what we’re learning,” he said.
Identity theft and various LinkedIn strategies have become more elaborate, with fraudulent workers impersonating real software engineers and hijacking LinkedIn profiles belonging to active professionals, Schmidt said.
"We’ve also identified networks where people hand over access to their accounts in exchange for payment," he added.
“Small details give them away,” he said, warning employers to watch out for common signs of fraud, including incorrectly formatted phone numbers and inconsistent education histories.
The U.S., Japan and South Korea held a joint forum in Tokyo to improve collaboration against the growing threat of North Korean operatives posing as IT workers in August.
In a joint statement, the three countries said that “hiring, supporting, or outsourcing work to North Korean IT workers increasingly poses serious risks, ranging from theft of intellectual property, data, and funds to reputational harm and legal consequences.”
