Amazon has blocked hundreds of job applications from suspected North Korean operatives, according to the U.S. tech giant's chief security officer, amid growing concerns over cyber scams connected to Pyongyang.
“Their objective is typically straightforward: get hired, get paid, and funnel wages back to fund the regime’s weapons programs,” Stephen Schmidt wrote Friday on LinkedIn, adding that applicants were using fake or stolen identities to pursue remote IT jobs in the U.S. and worldwide.
“We’ve stopped more than 1,800 suspected DPRK operatives from joining since April 2024,” he said, using the initialism for the secretive communist state’s official name, the Democratic People’s Republic of Korea. “We’ve detected 27% more DPRK-affiliated applications quarter over quarter this year,” he added.
The fraud was detected by Amazon's AI-powered application screening system combined with manual verification by its staff, he said.
Schmidt said the agents often use so-called laptop farms — computers physically based in the U.S. but operated remotely from abroad — to conceal their true locations.
In June, the Justice Department said it had uncovered 29 illegal “laptop farms” across the U.S. that were being used by North Korean IT workers.
Those cases involved U.S.-based people who created fraudulent companies and "hosted laptop farms," giving North Korean agents remote access to U.S. victim company-provided laptop computers, the Justice Department said in a news release at the time.
“These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs,” Assistant Attorney General John A. Eisenberg of the Justice Department's National Security Division was quoted as saying in the release.
The following month, a woman from Arizona was sentenced to more than eight years in prison for running a laptop farm that helped North Korean IT workers get remote jobs at over 300 U.S. companies.
The scheme generated more than $17 million in illicit revenue for her and Pyongyang, the Justice Department said in a statement at the time.
NBC News did not receive an immediate response when it asked the North Korean Embassy in London for comment Tuesday.
Schmidt wrote in his post numerous other strategies used by fraudulent workers are likely to be operating at scale across the whole industry.
Amazon is one of the world’s largest employers, and its experience of large-scale cyber threats “gives us unique visibility into how these operations evolve and a responsibility to share what we’re learning,” he said.
Identity theft and various LinkedIn strategies have become more elaborate, with fraudulent workers impersonating real software engineers and hijacking LinkedIn profiles of active professionals, Schmidt said.
"We’ve also identified networks where people hand over access to their accounts in exchange for payment," he added.
“Small details give them away,” he said, warning employers to watch out for common signs of fraud, including incorrectly formatted phone numbers and inconsistent education histories.
The U.S., Japan and South Korea held a joint forum in Tokyo to improve collaboration against the growing threat of North Korean operatives posing as IT workers in August.
In a joint statement, the three countries said that “hiring, supporting, or outsourcing work to North Korean IT workers increasingly poses serious risks, ranging from theft of intellectual property, data, and funds to reputational harm and legal consequences.”
