An Amazon IT Worker Was Outed As A Fraud Thanks To This Subtle Giveaway

Keystroke input lag isn't an alien problem, especially in the Windows ecosystem. Outdated keyboard drivers, key filtering, and background software are some of the reasons behind the issue. In the gaming circles, the stakes are higher, where the response rate can be under a millisecond, especially for esports enthusiasts. Interestingly, Amazon used the same metric to sniff out a remote worker based in a shocking locale.

Amazon was able to catch the worker after spotting a keystroke latency that was suspiciously high. Amazon's Chief Security Officer Stephen Schmidt told Bloomberg that their keystrokes took 110 milliseconds to register in the workflow, a number that would typically be in just the tens of milliseconds for an employee working remotely in the U.S. As a result, the millisecond-level gap was a dead giveaway that the employee is based far from Amazon's headquarters in Seattle, Washington, and was enough to raise alarms.

The employee was fired within a few days of the suspicious behavior was flagged, and their true location was traced. The laptop sent over by Amazon to the designated employee, supposedly based in the U.S., was actually being remotely controlled from an altogether different location: North Korea. The country has been sanctioned heavily, and as a result, U.S.-based companies can't employ workers from it. When Amazon's team dug deeper into the details submitted to a hiring contractor, there were telltale signs of fraud that more recently been weaponized by North Koreans. "If we hadn't been looking for the DPRK workers, we would not have found them," Schmidt was quoted as saying. To recall, companies often install software that flags security risks on computers assigned to employees and also track their productivity using the frequency of mouse clicks and key inputs.

The spotting — and subsequent firing — of the North Korea-based Amazon worker is not a one-off incident for the e-commerce giant. Amazon has thwarted 1,800 job applications linked to North Korean agents, who rely on stolen or fake identities for remote jobs. Schmidt wrote in a LinkedIn post that there has been a 27% surge in the number of such candidates, adding that these applications target IT companies across the world, and that the U.S. is a hotspot for these incidents.

"Their objective is typically straightforward: get hired, get paid, and funnel wages back to fund the regime's weapons programs," the Amazon executive wrote, warning that the scam is unfolding across the industry. Amazon relies on a mix of AI-powered vetting and human verification to identify risk factors and location inconsistencies in job applications. Additionally, there are strict background check protocols in place to ensure that it is hiring a legitimate candidate. Schmidt highlighted how scammers are taking over dormant LinkedIn profiles to pass off as legitimate American workers with experience and that there's a network of bad actors offering such services for a price.

In June, the U.S. government spotted 29 known or suspected "laptop farms" operating across 16 states with North Korean affiliation. Workers relied on fake IDs for remote employment at tech companies, after receiving help from actors based in the U.S., China, the United Arab Emirates, and Taiwan. A month later, a woman from Arizona was arrested for assisting North Korean citizens in getting jobs at a hundred American companies and generating millions in revenue for the sanctioned nation. Simultaneously, North Korea-affiliated hackers continue to be a major security nuisance, with their most recent cyber heist hauling in $1.5 billion in stolen crypto.