Amazon says it blocked 1,800 fake job seekers linked to North Korea using AI screening
Amazon has revealed that it has blocked more than 1,800 suspected North Korean operators from remote IT job applications through April 2024 using AI screening and manual checks.
Amazon has blocked more than 1,800 suspected North Korean operators from securing remote IT jobs at the company through April 2024. The revelation comes from a public post by Amazon Chief Security Officer Stephen Schmidt, who said that North Korean (DPRK) citizens have been attempting to secure remote IT roles at companies around the world, particularly in the United States, for years.
The revelations come amid growing concerns about global companies increasingly becoming targets of state-backed financial and cyber schemes. According to Stephan, the inspiration behind these applications is simple. They want to stay employed, get paid by the company, and then send that money back to their country to finance the regime’s weapons programs.
“At Amazon, we have blocked more than 1,800 suspected DPRK operators from joining since April 2024, and we detected 27 percent more DPRK-affiliated applications quarter over quarter this year,” Stephen wrote in a post on LinkedIn.
How Amazon filtered these job applications
Stephen explained that to filter out these fraudulent job applications, Amazon relies on a combination of AI-powered screening and human verification to stop these attempts. The company’s AI systems analyze anomalies and geographic anomalies in applications, as well as links to nearly 200 high-risk institutions.
“These checks combine AI-powered screening with human verification,” Stephen wrote, adding that the automated checks are supported by background checks, credential verification, and structured interviews conducted by human teams.
The post also highlighted how sophisticated these operations have become. Instead of using fake or low-profile identities, Stephan pointed out that many of these fake job operators now present themselves as experienced software engineers with a credible online footprint. And this change makes identification more challenging, as profiles appear legitimate at first glance.
Professional platforms like LinkedIn have emerged as a major battleground for the growing number of fake job applications on the web. According to Stephan, Amazon has seen increasingly advanced tactics, including hijacking inactive LinkedIn accounts using compromised credentials. In some cases, he revealed that the company has even searched entire networks where individuals hand over access to their accounts in exchange for payment, allowing operators to pass verification checks under someone else’s identity.
Another common strategy, according to Stephen, includes so-called “laptop farms,” where these operators operate from within the US to maintain a domestic presence while the actual employees work from outside the country. This setup allows operators to bypass location-based security checks.
Apart from using fake profiles and forged background details, these operators are also manipulating their educational history. Stephen revealed that Amazon has found many profiles that are repeatedly changing their educational backgrounds, transferring from East Asian universities to institutions in US states with no income tax, and most recently to schools in California and New York. In many cases, applicants listed degrees from institutions that did not offer the claimed majors or showed academic timelines that simply did not add up.
And the problem goes far beyond Amazon. “This is not Amazon-specific. This is likely happening across the industry at large,” warns Stephan.
They have urged companies to take the threat seriously by querying internal databases for common indicators, strengthening identity verification at multiple stages of recruitment, and closely monitoring unusual technical behavior such as unusual remote access or unauthorized hardware usage.
