Amazon has blocked more than 1,800 attempts by suspected North Korean operatives to fraudulently secure remote IT roles since April 2024. The company reports a 27 percent quarter over quarter increase in these applications throughout 2025. The figures were disclosed by Amazon Senior Vice President and Chief Security Officer Stephen Schmidt, who described a threat that is expanding, adapting, and becoming harder to detect. This is a security failure playing out at scale.
Amazon now treats its hiring pipeline as an attack surface, using AI screening models backed by human verification to assess links to roughly 200 high-risk entities, flag geographic inconsistencies, and detect application anomalies. This is what modern infiltration looks like. No phishing emails. No malware payloads. Just resumes, LinkedIn profiles, and video interviews.
Amazon’s size makes it a high-value target. Its internal systems, cloud infrastructure, and data access mean a single compromised hire can expose far more than credentials. Remote work removes physical constraints. Hiring automation removes friction. Together, they create an opening that hostile states are actively exploiting.
North Korea’s strategy relies on identity theft at scale. Real US software engineers have their identities compromised and reused to build credible resumes, pass interviews, and receive company-issued laptops. Operatives hijack dormant LinkedIn accounts or pay individuals to lend access to verified profiles. Digital identity no longer means a person. It means a bundle of artifacts that can be rented, stolen, or fabricated. Once those artifacts clear automated checks, the system assumes legitimacy.
A key tactic is the use of laptop farms. These are US-based locations where company hardware is shipped and then remotely accessed from abroad. In August 2024, the US Department of Justice charged Nashville resident Matthew Knoot for operating one such farm. Prosecutors allege he hosted laptops for North Korean IT workers accessing them from China, defrauding US companies of more than 500,000 dollars and funneling income into North Korea’s weapons programs.
Amazon has observed a shift toward high-demand roles in AI and machine learning, where remote work is common and verification standards vary. Claimed education histories have evolved as well. Early applications listed East Asian institutions. Later waves used American universities in tax-neutral states. More recent attempts list plausible schools in California and New York. Detection now depends on catching subtle inconsistencies like impossible academic calendars or non-existent degree programs.
Small details matter. Investigators cite formatting choices such as using +1 instead of 1 for US phone numbers as low-signal indicators. On their own they mean nothing. Combined with other flags, they expose synthetic identities.
In July 2024, cybersecurity firm KnowBe4 stopped a North Korean hacker who had nearly secured a senior software engineering role using a stolen identity. The attacker passed video interviews and background checks and was only caught after suspicious remote activity appeared on a company-issued device shipped to an address linked to a known laptop farm. The attacker used advanced techniques including malware deployment via Raspberry Pi hardware, VoIP number masking, and AI-generated profile photos. The hiring system worked exactly as designed. That is the problem.
Remote hiring was built for speed and scale. Digital identity was built for convenience. Neither was built for adversarial pressure from nation states. Now both are being stress-tested in the wild. When work becomes borderless and identity becomes abstract, national security follows the same path.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
How many infiltration attempts did Amazon block
Amazon reports blocking over 1,800 suspected North Korean applications since April 2024
What roles were primarily targeted
High-demand remote IT roles, especially in AI and machine learning
What are laptop farms
US-based locations where company-issued laptops are hosted and remotely accessed from abroad
How were stolen identities used
Real US engineers’ credentials were reused to create credible resumes and LinkedIn profiles
Why is remote hiring a security risk
It removes physical verification while relying on digital identity systems that can be forged or rented