Amazon has blocked more than 1,800 suspected North Korean operatives from remote information technology jobs since April 2024. Stephen Schmidt, the company’s second senior vice president and chief security officer, detailed the effort in a LinkedIn post in late December 2025. North Korean nationals seek these positions at U.S. companies to funnel wages toward the regime’s weapons programs. Amazon employs AI-powered screening combined with human verification for detection.
Schmidt stated in his post, “we’ve stopped more than 1,800 suspected DPRK operatives from joining since April 2024, and we’ve detected 27% more DPRK‑affiliated applications quarter over quarter this year.” This increase reflects ongoing efforts by operatives affiliated with the Democratic People’s Republic of Korea, or DPRK, to infiltrate remote IT roles at Amazon and other firms. The company’s systems process applications at high volume, given its status as one of the world’s largest employers.
The detection process integrates artificial intelligence models with manual reviews. Schmidt explained, “Our detections combine AI‑powered screening with human verification. Our AI model analyzes connections to nearly 200 high‑risk institutions, anomalies across applications, and geographic inconsistencies. We verify identities through background checks, credential verification, and structured interviews.” These steps examine applicant networks, unusual patterns in submitted data, and location discrepancies that arise during remote hiring processes.
Schmidt emphasized the scale of Amazon’s exposure to these threats. He wrote, “As CSO of one of the world’s largest employers, my team sees these threats at a scale few organizations do. That gives us unique visibility into how these operations evolve and a responsibility to share what we’re learning.” This perspective stems from handling vast numbers of job applications, allowing identification of patterns not visible to smaller entities.
Operatives have refined their approaches over time. They engage in identity theft by targeting actual software engineers, whose established professional profiles lend credibility, rather than individuals with limited online footprints. This shift provides more convincing resumes and histories that withstand initial scrutiny.
LinkedIn tactics have grown complex. Operatives hijack dormant accounts using compromised credentials, preserving verification badges from prior activity. Networks exist where account owners exchange access for payment, further enabling impersonation. These methods exploit platform features designed for professional networking.
Applications focus increasingly on artificial intelligence and machine learning positions. Such roles carry high demand amid corporate adoption of AI technologies, potentially offering higher pay and less immediate oversight in remote setups.
Facilitators operate “laptop farms” in U.S. locations. These sites receive equipment shipments and simulate domestic presence, while operatives control the devices remotely from outside the country. This arrangement maintains the appearance of U.S.-based work during hiring and onboarding.
Educational claims evolve strategically. Patterns show shifts from East Asian universities to institutions in states without income tax, and recently to schools in California and New York. Amazon reviews scrutinize degrees from programs not offered by listed institutions or timelines misaligned with standard academic calendars.
Subtle indicators aid detection. Applicants format U.S. phone numbers with “+1” instead of simply “1.” This detail alone holds little weight but combines with other signals to form a profile of suspicious activity.
These schemes extend beyond Amazon. In June 2025, the U.S. Department of Justice issued a warning. A DOJ press release stated, “The Justice Department announced today coordinated actions against the Democratic People’s Republic of North Korea (DPRK) government’s schemes to fund its regime through remote information technology (IT) work for U.S. companies.” Actions encompassed two indictments, an information and related plea agreement, one arrest, searches of 29 known or suspected laptop farms across 16 states, seizure of 29 financial accounts used to launder illicit funds, and 21 fraudulent websites.
