Amazon chief security officer Stephen Schmidt on how ‘small details’ helped him block hundreds of North Korean agents from working at the company, says: These applicants often …

Amazon has reportedly prevented more than 1800 suspected North Korean operatives from applying for jobs over the past 20 months. According to a report by Business Insider, Amazon chief security officer Stephen Schmidt revealed how ‘small details’ have been key in detecting fraudulent applicants. In a lengthy LinkedIn post, Schmidt has mentioned that North Korean nationals have increasingly attempted to secure many remote tech roles at global companies. He further explained that the main objective of these North Korean agents is simply to get hired, paid and funnel wages back to fund the regime’s weapons programs.Schmidt revealed that Amazon has responded to this threat with dual-layered defense system. The company now conducts AI-powered screening that scans for links to around 200 “high-risk institutions” and flags anomalies or geographic inconsistencies. Along with this, the company also does human verification which includes background checks, credential reviews and interviews.

Spotting the red flags

Schmidt also noted that fraudsters are become more calculated and they often impersonate real software engineers of hijack dormant LinkedIn accounts to gain credibility. Some even pay for access to existing professional profiles.AI and machine-learning roles are particularly targeted due to high demand. Yet, Schmidt said, “small details give them away.” For example, applicants often format US phone numbers with “+1” instead of “1.” While trivial in isolation, combined with other indicators, such anomalies reveal a broader pattern.The operatives also rely on ‘laptop farms’ which are US-based setups which maintain domestic presence while the workers operate remotely from abroad. Schmidt emphasised that this issue is not Amazon-specific, but likely occurring “at scale across the industry.”

Read Amazon chief security officer Stephen Schmidt’s LinkedIn post here

Over the past few years, North Korean (DPRK) nationals have been attempting to secure remote IT jobs with companies worldwide, particularly in the U.S. Their objective is typically straightforward: get hired, get paid, and funnel wages back to fund the regime’s weapons programs.At Amazon, we’ve stopped more than 1,800 suspected DPRK operatives from joining since April 2024, and we’ve detected 27% more DPRK-affiliated applications quarter over quarter this year.Our detections combine AI-powered screening with human verification. Our AI model analyzes connections to nearly 200 high-risk institutions, anomalies across applications, and geographic inconsistencies. We verify identities through background checks, credential verification, and structured interviews.As CSO of one of the world’s largest employers, my team sees these threats at a scale few organizations do. That gives us unique visibility into how these operations evolve and a responsibility to share what we’re learning. Here’s what we’re seeing:• Identity theft has become more calculated. These operatives target actual software engineers who provide real credibility, rather than people with minimal online presence.• Their LinkedIn strategies are getting sophisticated. We’re seeing them hijack dormant accounts through compromised credentials to gain verification. We’ve also identified networks where people hand over access to their accounts in exchange for payment.• They’re increasingly targeting AI and machine learning roles, likely because these are in higher demand as companies adopt AI.• These operatives often work with facilitators managing “laptop farms”: U.S. locations that receive shipments and maintain domestic presence, while the worker operates remotely from outside the country.• Educational backgrounds keep changing. We’ve watched the strategy shift from East Asian universities, to institutions in no-income-tax states, to now California and New York schools. We look for degrees from schools that don’t offer claimed majors, or dates misaligned with academic schedules.• Small details give them away. For example, these applicants often format U.S. phone numbers with “+1” rather than “1.” Alone, this means nothing. Combined with other indicators, it paints a picture.This isn’t Amazon-specific. This is likely happening at scale across the industry.If you’re concerned about these threats in your organization, query your databases for common indicators: patterns in resumes, emails, phone numbers, educational backgrounds. Implement identity verification at multiple hiring stages and monitor for anomalous technical behavior: unusual remote access, unauthorized hardware.If you identify suspected DPRK IT workers, report it to the FBI or your local law enforcement. And if you’re seeing similar patterns or have insights to share, I encourage you to do so. The more we share what we’re learning, the harder we make it for these operations to succeed.Amazon reported a 27% quarter-over-quarter increase in North Korea-linked applications this year, underscoring the scale of the challenge. The Justice Department has also intensified its efforts against such practices. In July this year an Arizona woman received a 102 months of prison sentence for helping North Korean IT workers in securing jobs at over 300 US companies.