Amazon Identified North Korean IT Worker by Tracking Keystroke Activity
Amazon has made a shocking discovery, uncovering a North Korean imposter who was posing as a systems administrator based in the United States.
The revelation was not made through traditional background checks, but rather by analyzing the subtle timing of the worker’s typing patterns.
According to a report from Bloomberg, Amazon’s security specialists flagged the employee due to suspicious “keystroke input lag,” which raised concerns about the worker’s true location.
Typically, data from a genuine remote worker in the U.S. reaches the company’s network within tens of milliseconds. However, this particular individual’s connection showed a delay of more than 110 milliseconds, prompting a deeper investigation.
Amazon’s security team discovered that the “U.S. remote worker’s” laptop was actually being controlled remotely from another location, with the computer itself physically located in Arizona to maintain the illusion of legitimacy.
However, the person operating the laptop was actually located halfway across the world, highlighting the sophistication of the scam.
How the Scam Works
According to Tomshardware, Amazon Chief Security Officer Stephen Schmidt revealed that this incident is not an isolated case, with the tech giant thwarting over 1,800 infiltration attempts by North Korean IT workers since April 2024.
The frequency of these attacks is increasing, with Amazon recording a 27% quarter-over-quarter increase in attempts to breach its corporate ranks, emphasizing the need for proactive measures to catch these impostors.
Schmidt noted that “if we hadn’t been looking for the DPRK workers, we would not have found them,” highlighting the importance of robust security software and active monitoring in detecting and preventing such infiltrations.
These schemes often involve “laptop farms” hosted within the United States, with the goal of generating revenue for the North Korean regime and potentially conducting espionage or sabotage.
In this specific case, a woman in Arizona was found to be facilitating the fraud by hosting the hardware that allowed North Korean actors to route their traffic through a U.S. IP address, resulting in her imprisonment earlier this year.
While advanced telemetry, such as keystroke tracking, was crucial in this case, Schmidt also emphasized the importance of monitoring “low-tech” red flags, including the clumsy use of American idioms or incorrect usage of English articles during conversation.
As this case demonstrates, robust security software and active monitoring remain the most effective defense against state-sponsored corporate infiltration, highlighting the need for companies to remain vigilant in the face of evolving cyber threats.