Amazon’s top security executive said that over the past 20 months, the company has blocked more than 1,800 North Korean nationals from obtaining remote internet technology jobs that would ultimately fund weapons programs in the country.
Amazon blends an AI screening process with human verification to filter job applications, Schmidt said. The company has detected a 27 percent quarter-over-quarter rise in job applications from North Korean affiliates.
At Amazon, Schmidt said his security team uses artificial intelligence to analyze connections at nearly 200 high-risk institutions to detect anomalies across job applications, as well as geographic inconsistencies. The company vets the identity and country of origin of job applicants through a combination of interviews, background checks, and credential verification.
“As CSO of one of the world’s largest employers, my team sees these threats at a scale few organizations do,” Schmidt said in his post. “That gives us unique visibility into how these operations evolve and a responsibility to share what we’re learning.”
The sharp increase in phony job applications from North Korea isn’t limited to just Amazon; Schmidt said it’s likely occurring on a much larger scale, particularly at companies desperate for talented employees for AI and machine learning roles.
“North Korean threat actors exploit traditional hiring processes with stolen or synthetic identities backed by detailed technical portfolios,” the report stated. “These portfolios can include legitimate references obtained through identity manipulation and previous real work histories that pass basic verification.”
North Korean operatives will also hijack dormant LinkedIn accounts so they can pass verification checks, Amazon’s Schmidt said, or they steal the identities of actual software engineers. In some instances, people with actual LinkedIn accounts surrendered their login credentials in exchange for payment.
Oftentimes, tiny details can paint a larger picture of false job applications, Schmidt said. Job applicants might erroneously format U.S. phone numbers with a “+1” rather than simply a “1,” a clear indication that the person lives outside the United States. Other “tells” include educational backgrounds that don’t align with degree offerings at U.S. colleges and universities, Schmidt added.
“Small details give them away,” he said.
North Korean operatives often utilize “laptop farms” to operate from abroad. The Justice Department investigation this past summer resulted in searches of 29 suspected laptop farms in 16 states. Computers at such farms were issued by U.S. companies and housed in the United States by U.S., Chinese, and Taiwanese nationals, but were operated by overseas cyber operatives, the department said.
Between 2021 and 2024, the identities of more than 80 people were compromised, resulting in more than $3 million in losses to victims and U.S. companies, the department said.
John A. Eisenberg, Assistant Attorney General of the Justice Department’s National Security Division, said the schemes target and steal from U.S. companies to fund illicit North Korean programs.
“The Justice Department, along with our law enforcement, private sector, and international partners, will persistently pursue and dismantle these cyber-enabled revenue generation networks,” Eisenberg said in a June statement.
