A slight delay in the new IT employee’s onboarding indicated to Amazon’s cybersecurity experts that he was not who he claimed to be.
A slight delay in the new IT employee’s onboarding indicated to Amazon’s cybersecurity experts that he was not who he claimed to be.
Keystroke data from a laptop belonging to an employee who was supposed to be in the United States should have reached Amazon’s headquarters in Seattle in tens of milliseconds. Instead, the data flow from that computer was more than 110 milliseconds, Amazon’s chief security officer, Stephen Schmidt, told Bloomberg.
This delay indicated that the worker was actually half a world away from the company’s office. He had been hired by an Amazon contractor, unaware that he was one of the North Korean hackers who steal money and data from Western companies by posing as remote IT workers.
Amazon employees have detected and prevented more than 1,800 attempts by North Koreans since April 2024, Schmidt said. The number of such attempts has increased by an average of 27% quarter-on-quarter this year, according to the company.
«If we hadn’t been looking for workers from the DPRK, we wouldn’t have found them,» Schmidt noted.
This year, Amazon security staff began keeping a close eye on a systems administrator hired by an outside firm after monitoring systems on the employee’s Amazon laptop alerted them to unusual behavior. Amazon discovered that the computer had been remotely controlled and traced the traffic all the way to China. Schmidt noted that the laptop did not have access to sensitive data, so security staff had been watching the hacker for some time.
«It appears that this individual used the same script as other North Koreans we’ve seen to get this job,» recalled Stephen Schmidt.
An Amazon representative said that the fraudster was helped by a woman from Arizona who was sentenced to several years in prison in July for participating in schemes with fake IT workers.
Schmidt noted that while sometimes scammers steal real identities, they tend to follow a pattern: going to the same schools and working for the same companies, often foreign consulting firms that are difficult to verify from the U.S. Other telltale signs include hesitant use of American idioms and English articles such as «a,» «an,» or «the.»
Schmidt said the North Korean fraudster was removed from Amazon’s systems within days. He stressed the need to thoroughly vet potential employees’ resumes, not just LinkedIn scans, and to have «good security software» that can detect subtle signs, such as small delays in data transmission from fingers on a keyboard.
It was previously reported that North Korean hackers have stolen $2 billion in cryptocurrency this year, significantly more than last year. Much of that sum comes from the largest digital heist in cryptocurrency history, when North Korean hackers stole $1.5 billion from the Bybit cryptocurrency exchange in February .
Recall that in November of this year, Project Manager Anastasia Kyrnychna spoke about a strange communication with a developer who had a Ukrainian name and location in Lviv, but stated that he only uses English for work. Ukrainian IT experts suggest that programmers from North Korea or scammers from other countries were behind this account.
