Amazon Caught A North Korean Infiltrator, Because The Keystrokes Arrived 110 Milliseconds Late

For most of the 20th century, spying meant physically crossing borders: diplomats under cover, agents with false passports, dead drops, and clandestine meetings. Borders mattered because information, people, and systems were tied to geography. If governments wanted secrets, they had to be there.

In the digital age, borders have become porous to intelligence work.

Today, a spy can sit in an apartment in Shenyang, Dandong, or Vladivostok, or in Tehran, or Mashad, or in Pyongyang and Potonggang, and still “enter” a U.S. corporation, a government network, or a research lab without ever boarding a plane. Remote work, cloud infrastructure, SaaS tools, and global collaboration platforms have effectively turned corporate networks into borderless territories. Logging in can matter more than crossing customs.

Since spying can be made entirely online, crossing borders become less and less relevant.

This time, a North Korean operative was posing as a remote sysadmin at Amazon, With hidden agendas, the person had access to systems, data, and workflows to one of the most valuable companies in the world.

Amazon
A parked Rivian electric van at Amazon's headquarters in Seattle, U.S..

And then the person got caught red handed.

Amazon uncovered his presence by tracking something as subtle as keystroke latency. Security analysts noticed that the supposed "U.S. remote worker's" keyboard inputs were arriving with a delay of more than 110 milliseconds, far above the tens of milliseconds typical for someone actually working domestically.

This is a tell-tale sign that the workstation was being remotely controlled from afar.

Analyzing the person's digital fingerprints, the company's investigation ultimatedly exposed the infiltration.

Amazon's Chief Security Officer Stephen Schmidt has highlighted this incident as part of a growing and sophisticated campaign by North Korean operatives to secure remote tech roles at companies in the U.S. and beyond.

The goal isn't merely to earn money; these schemes help Pyongyang generate revenue for its sanctioned programs, including weapons development, and potentially position insiders with access to valuable corporate systems.

Since April 2024, Amazon says it has blocked over 1,800 suspected North Korean attempts to obtain employment through fraudulent means, with the number of such applications rising sharply quarter over quarter.

North Korea

In many cases, operatives pose as legitimate candidates by using stolen or fabricated identities, hijacked LinkedIn accounts, and bogus resumes. They often engineer "laptop farms," which can be described as U.S.-based machines that are remote-controlled from abroad so their traffic appears to originate from normal U.S. IP addresses, helping evade basic geolocation checks.

Law enforcement in the U.S. has also stepped up actions against this broader threat: multiple individuals have pleaded guilty to facilitating North Korean IT worker fraud schemes by providing false identities or acting as domestic proxies for overseas operators, with cases linked to hundreds of compromised companies.

The tradecraft behind these operations is evolving.

Beyond simple account fraud, state-linked actors use remote desktop software, VPNs, stolen credentials, and even AI tools to craft convincing personas that can pass automated resume scrapers and initial hiring screens. Reports analyzing these tactics point to elaborate networks of fake identities, proxy hosts, and technical infrastructure designed to blend in with legitimate remote work patterns.

For defenders at tech companies and beyond, this means more than checking a résumé. It means integrating security at the very front end of hiring and monitoring, using behavioral analytics and anomaly detection to spot irregular patterns like unexpected latency, unusual access attempts, or discrepancies in identity data.

As Schmidt has noted, "If we hadn't been looking for the DPRK workers, we would not have found them," underscoring that proactive vigilance is critical.

As remote work continues to reshape global labor markets, adversaries are turning it into a vector not just for espionage and revenue generation, but for embedding deeply into corporate infrastructures. Detecting them often comes down to recognizing the tiny signals that betray their presence: like a few extra milliseconds on a keyboard stroke, in a digital world where even the smallest anomalies can unravel a hidden network of spies.

[block:block=87]

North Korea

In the modern era of the internet and beyond, spies don't just forge passports anymore; they forge entire digital lives.

LinkedIn profiles are carefully curated, employment histories are padded with believable roles, academic credentials are selectively fabricated, and GitHub repositories are seeded with just enough activity to look authentic. Even day-to-day behavior is engineered to appear normal, like how someone normally writes in Slack, speaks on Zoom, or moves tickets through Jira can be rehearsed as deliberately as a cover story once was.

As a result, the battlefield has shifted.

North Korea

It is no longer the airport checkpoint or the border crossing that matters most, but the authentication screen. Access is granted not by a stamp in a passport, but by credentials, tokens, and trust in systems designed for global collaboration. Once logged in, an operative can be functionally "inside" a foreign company or institution without ever leaving their home country.

This is why technical and behavioral signals have taken on the role that accents, forged papers, and nervous habits once played.

Keystroke latency, mouse movement patterns, subtle language quirks, and inconsistencies in the quality of work can reveal truths that polished resumes and flawless video calls conceal. A few extra milliseconds of delay can betray physical distance more reliably than a poorly faked document ever could.

North Korea
North Korean leader Kim Jong-un look at a computer at a school in Pyongyang, in this file photo released by the North's state-run Korean Central News Agency on June 4, 2024.