A North Korean imposter managed to land a job inside Amazon’s IT department, but a tiny delay in keystrokes ultimately gave them away. According to a new report, security teams at the tech giant noticed something odd about a supposedly US-based remote worker. Every keypress was arriving just a little too late, a clue that eventually exposed the worker’s true location, as reported by Tom’s Hardware.
The red flag was subtle but telling. For remote employees located in the United States, keystroke data is typically transmitted in a matter of tens of milliseconds. In this case, Amazon’s security software detected input delays exceeding 110 milliseconds. That kind of lag suggested the laptop was not being used directly by someone in the US, but instead was being remotely controlled from much farther away.
Amazon’s Chief Security Officer, Stephen Schmidt, explained that the company has been deliberately hunting for these kinds of infiltration attempts. According to Schmidt, Amazon has blocked more than 1,800 efforts by North Korean operatives to enter the company since April 2024. Even more concerning, those attempts are accelerating, with Amazon seeing a 27% quarter-over-quarter increase in such cases.
The case unfolded earlier this year when monitoring tools on a newly issued Amazon laptop raised alerts about unusual behavior. Security specialists took a closer look and determined that the system was being accessed remotely, which explained the persistent input lag. Schmidt stressed that without actively looking for this specific threat, the activity might never have stood out. In his words, if Amazon had not been searching for DPRK workers, it would not have found them.
Further investigation revealed that the laptop itself was physically located in Arizona, while being controlled from abroad. Authorities later identified a woman who had been helping facilitate the scheme on behalf of North Korean operatives. She was sentenced to several years in prison earlier this year, underscoring how these operations often rely on local accomplices to appear legitimate.
Technical clues are not the only giveaways. Schmidt noted that language issues continue to trip up impostors. Awkward use of American idioms, articles, and phrasing during conversations has repeatedly helped expose fake identities, even when resumes and credentials initially look convincing.
The broader issue goes far beyond a single company or one intercepted laptop. US officials have warned that North Korea uses these fake remote jobs to generate hard currency for the regime, and in some cases to position itself for espionage or sabotage. While Amazon’s proactive approach has uncovered hundreds of attempts, security experts believe this represents only a fraction of the overall activity.
As remote work becomes more common, this case highlights a new kind of digital fingerprint. Something as mundane as keyboard latency can reveal far more than intended, and for companies under constant pressure from state-backed cyber operations, even a few extra milliseconds can make all the difference.