North Korean remote workers infiltrate Amazon, but their true identity is revealed due to 'keyboard input delay'

The increasing number of IT workers linked to the North Korean government using false identities to work remotely for overseas companies and then illegally access their workplaces' systems to steal information has become a problem. It has been reported that a North Korean operative was working remotely as a systems administrator at Amazon, but his infiltration was revealed due to keyboard input delays.

Amazon Caught North Korean IT Worker By Tracing Keystroke Data - Bloomberg
https://www.bloomberg.com/news/newsletters/2025-12-17/amazon-caught-north-korean-it-worker-by-tracing-keystroke-data

North Korean infiltrator caught working in Amazon IT department thanks to lag — 110ms keystroke input raises red flags over true location | Tom's Hardware
https://www.tomshardware.com/tech-industry/cyber-security/north-korean-infiltrator-caught-working-in-amazon-it-department-thanks-to-lag-110ms-keystroke-input-raises-red-flags-over-true-location

It has been reported many times that North Korea is evading sanctions by sending IT workers, primarily through remote work, to companies in other countries to conceal their identities and fund its weapons development programs. Amazon says it has blocked more than 1,800 such recruitment attempts since April 2024.

FBI warns that thousands of North Koreans are falsely identities and working as remote workers in other countries, sending wages to North Korea for missile program - GIGAZINE

According to Bloomberg, the individual in question was recruited as a systems administrator through an outside contractor, and Amazon sent a company laptop to an address in Arizona, which was actually the address of a woman working as a proxy for North Korea.

In early 2025, the monitoring system installed on the laptop detected unusual behavior, prompting security staff to launch a detailed investigation. The definitive evidence was the latency of keyboard input data reaching headquarters. While data typically arrives in the tens of milliseconds for remote workers in the United States, the latency for the laptop in question was over 110 milliseconds.

This slight delay suggested the worker might be on the other side of the world. Further investigation revealed that the communications were traced back to China. The submitted resumes and applications matched patterns previously identified for North Korean agents, and the use of unnatural English idioms and articles also provided further evidence of the suspect's identity.

Amazon subsequently removed the remote worker from its system within days of identifying him, and a woman in Arizona who helped with the scheme faces several years in prison in July 2025.

An Arizona woman was sentenced to eight and a half years in prison for running a 'laptop farm' that helped North Korean workers earn over ¥2.5 billion by hiding their identities and working remotely at 309 companies.