Amazon’s security chief says the company stopped more than 1,800 suspected DPRK-linked hiring attempts, as governments and firms warn the “fake remote worker” threat is growing.
Lead
Amazon says it has identified and blocked more than 1,800 attempts by North Korea-linked operatives to land IT roles at the company, according to comments from Amazon Chief Security Officer Steve Schmidt at an Amazon-hosted event this week. The disclosure adds detail to a broader, fast-evolving threat: North Korean “remote IT worker” schemes that use fake or stolen identities to obtain legitimate jobs, access company systems, and generate revenue for Pyongyang.
What Amazon reported
Schmidt said Amazon’s teams have “identified and blocked more than 1,800” suspected North Korea attempts to secure IT positions at Amazon. He also described the activity as “prolific” and warned that many organizations underestimate organized efforts to get people hired specifically to reach valuable data.
Amazon’s security chief linked the risk to roles that can provide access to sensitive systems and highly valuable information, pointing to the attractiveness of well-paid positions—particularly around AI/ML work—and the “troves of valuable data” those roles can touch. Amazon also said it has seen a 27% quarter-over-quarter increase in the number of suspected North Korean applications during 2025.
Schmidt described how the playbook has shifted over time—from fully fabricated online personas to the use of identities purchased from Americans with legitimate backgrounds—making fraud harder to spot using traditional résumé screening alone.
How the infiltration attempts work
Industry and government reporting describes a consistent pattern: operators apply for remote IT jobs using fraudulent identities, get hired, and then work from outside the target country while appearing to be local—sometimes with help from facilitators. In some cases, facilitators physically host corporate laptops (commonly described as “laptop farms”) so overseas workers can remotely access employer-issued devices while geolocating as if they are inside the U.S.
The U.S. Department of Justice has publicly described these schemes as involving North Korean individuals fraudulently obtaining remote IT employment at U.S. companies using stolen and fake identities. The Record reported that the DOJ and FBI described laptop-farm activity enabling North Koreans to illegally work at more than 100 U.S. companies, with some incidents involving access to sensitive employer data and source code, including ITAR-related data at a defense contractor.
The FBI has also warned that, once discovered on networks, some North Korean IT workers have escalated into data extortion—stealing proprietary information (including source code) and threatening to release it unless paid. The FBI warning specifically noted that workers have copied company code repositories (for example, GitHub repositories) to personal accounts and cloud storage, creating large-scale intellectual-property risk.
Key timeline and signals
The Amazon disclosure arrives amid a steady cadence of public warnings, enforcement actions, and threat-intelligence reporting tied to North Korean remote-worker tactics.
| Date (published) | What happened | Why it matters |
| June 30, 2025 | Microsoft Threat Intelligence reported tracking North Korean remote IT worker activity as “Jasper Sleet” and said it suspended 3,000 Microsoft consumer accounts created by North Korean IT workers. | Shows scale and the use of mainstream consumer platforms in the identity-and-application pipeline. |
| June 29, 2025 | The Record reported DOJ action targeting “laptop farms,” saying FBI officials believed the farms enabled illegal work at more than 100 U.S. companies and describing cases involving sensitive data and source code exposure. | Highlights how physical infrastructure inside the U.S. can make remote infiltration look legitimate to employers. |
| July 2, 2025 | DOJ announced coordinated nationwide actions to combat North Korean remote IT worker schemes using stolen/fake identities to gain employment with U.S. companies. | Signals a whole-of-government disruption approach, not just corporate defenses. |
| Dec. 16, 2025 | Amazon CSO Steve Schmidt said Amazon blocked more than 1,800 suspected North Korean attempts to secure IT roles, and described the activity as prolific. | One of the clearest big-tech datapoints quantifying attempted hiring-based intrusion at a single firm. |
How Amazon says it detects attempts
Amazon says its defenses combine automation and human review, and Schmidt said the company has refined parts of this process over the past two years. He described AI-enabled tools trained to look for suspicious patterns, alongside human-led prevention efforts that validate identity and detect anomalous signals.
Schmidt gave concrete examples of indicators Amazon looks for, including how some operatives list contact details—such as using a plus symbol at the front of a phone number, which he said most Americans do not do. He also said Amazon has identified roughly 200 academic institutions that show up repeatedly on résumés used by suspected IT worker operatives.
More broadly, Amazon described deploying AI to speed up security analysis work and to spot suspicious activity at scale, reflecting how large platforms are trying to meet automation with automation.
Why this threat is rising across the tech sector
Threat reporting suggests the “North Korean IT worker” model is expanding in reach and efficiency, partly because remote work has normalized distributed engineering teams and cross-border contracting. Fortune reported that CrowdStrike observed a sharp rise in companies unknowingly hiring North Korean software developers, describing a 220% increase over 12 months and estimating infiltration into more than 320 companies in that period.
The operational incentives are clear: these jobs can generate steady salary income and offer pathways to sensitive access, including source code, credentials, and internal documentation. As the DOJ has described, the schemes can involve identity theft and organized facilitation to bypass background checks and appear legitimate during onboarding.
The risk is not limited to payroll fraud, because access to code repositories and internal systems can open doors to follow-on compromise, intellectual-property theft, or extortion—outcomes the FBI has explicitly warned about.
What companies can do now
Security and law-enforcement reporting points to a practical takeaway: hiring is now part of the security perimeter, and defenses must cover identity proofing, device logistics, and continuous monitoring. Steps commonly emphasized across these reports include verifying identity and location at multiple points (not only at offer stage), scrutinizing patterns in contact information and résumé metadata, and monitoring for unusual code-repository behavior such as large-scale copying or unexpected uploads to personal accounts.
Organizations can also reduce exposure by tightening controls around employer-issued laptops (shipping, custody, and verification), and by implementing monitoring that detects remote-access tooling patterns consistent with “laptop farm” enablement described in DOJ-linked reporting. Finally, firms should ensure incident-response and legal processes are prepared for extortion scenarios, because the FBI has warned that stolen proprietary data and code have been used as leverage for ransom demands and, in some cases, public release threats.
What happens next
Amazon’s report that it blocked 1,800 suspected North Korean IT infiltration attempts underscores how aggressively the DPRK-linked remote-worker pipeline is targeting high-trust technical roles at major companies. With Microsoft describing thousands of consumer accounts tied to the ecosystem and DOJ actions targeting facilitators and laptop farms, the public record increasingly shows a full-stack operation spanning identity fraud, infrastructure, and post-hire data risk.
For employers, the implication is straightforward: robust hiring verification, tighter device controls, and monitoring for data-exfiltration and code-theft behaviors are now essential to protecting systems—because the “intruder” may arrive through onboarding, not a phishing email.
