Amazon Blocks 1,800+ Suspected North Korean IT Operatives From Securing Remote Roles
Published on December 19, 2025
Key Takeaways
- Robust detection: Amazon has prevented over 1,800 suspected North Korean (DPRK) operatives from joining the company since April 2024.
- AI-powered screening: Amazon leverages artificial intelligence (AI) to detect high-risk connections, application anomalies, and geographic inconsistencies.
- Human verification: Comprehensive identity checks and structured interviews support Amazon's multilayered defense against fraudulent applicants.
Amazon has identified and blocked more than 1,800 suspected North Korean (DPRK) nationals attempting to secure remote IT positions with the company since April 2024, with DPRK-affiliated application detection rates rising by 27% quarter over quarter this year. Central to Amazon's approach is the combination of AI-driven analytics and rigorous human verification.
Advanced AI and Human-Centered Verification
Amazon’s Chief Security Officer attributes this success to the integration of advanced AI-driven models that analyze job applications for links to nearly 200 high-risk institutions, subtle anomalies, and inconsistencies in applicant data, such as unusual educational backgrounds or deviating geographic details.
Stephen Schmidt, Senior Vice President & Chief Security Officer at Amazon, detailed on social media that, regarding the IT worker schemes:
- Identity theft has become more calculated
- Their LinkedIn strategies are becoming more sophisticated, such as hijacking dormant accounts using compromised credentials or insider threats.
- Increased targeting of AI and machine learning roles.
- Working with facilitators managing "laptop farms".
- Educational background, such as degrees from schools that don't offer claimed majors or dates misaligned with academic schedules.
- Small details that give them away, such as formatting U.S. phone numbers with "+1" instead of "1."
The AI system evaluates connections and suspicious patterns, backed by background checks, credential verification, and structured interviews conducted by Amazon's security team.
Persistent Threat Monitoring and Ongoing Adaptation
Amazon’s continuous monitoring allows the company to track emerging trends in applicant profiles and evasion tactics, including those related to DPRK, such as the attempts to hijack dormant LinkedIn accounts and manipulate educational histories.
The U.S. sanctioned four individuals in relation to the IT worker scheme network funding North Korea's weapons programs in August. In July, U.S. authorities announced arrests and indictments, followed by an American resident sentenced for leading a $17 million IT worker fraud scheme.
In October, TechNadu reported that North Korea's IT worker scheme expanded to the UK, Canada, and Germany, while North Korean threat actors posed as IT specialists targeting Europe.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular