⬇️
Amazon Flags 1,800 Suspected North Korean Job Scammers as DPRK Malware Activity Escalates
Key Takeaways
- Amazon says it blocked more than 1,800 suspected DPRK-linked job applicants since April 2024
- Researchers report a new, heavily obfuscated variant of BeaverTail malware tied to Lazarus Group subgroups
- North Korean operatives are increasingly hijacking real engineers’ identities and relying on “laptop farmers” inside the US
Amazon’s security organization has been tracking the rise of North Korean fake IT workers for some time, but the company’s latest numbers are blunt: more than 1,800 suspected DPRK-affiliated applicants were blocked from entering its workforce since April 2024. That update came from Chief Security Officer Steve Schmidt, who noted a 27 percent quarter‑over‑quarter increase in applications tied to North Korean operators. It’s a sharp figure, though maybe not surprising given how quickly the scam has professionalized.
The broader scheme has been well‑documented. Real developers working on behalf of the North Korean regime adopt fake or stolen identities to secure remote roles at US and European companies. Some use AI tools to craft resumés or spin up entire online personas. Others reportedly bring deepfake video into live interviews. It’s a strange moment: HR teams that spent years moving interviews online are now dealing with applicants who might not be real in any meaningful sense.
Once hired, these workers send much of their income back to Pyongyang, which the US government says is routed into weapons programs. And while that core financial motive is bad enough, some operators go further by stealing source code or sensitive corporate data and threatening to leak it unless employers pay up. Socure executive Rivka Little told The Register earlier that she believes every Fortune 100—and likely every Fortune 500—has “a pretty high number of risky employees on their books.” It’s a bold line, but it reflects what many CISOs discuss quietly.
A quick aside: it’s remarkable how small tells still matter. Schmidt pointed to the way some applicants format US phone numbers with “+1” instead of “1.” On its own, no one would care. But combined with other context, it becomes one of those subtle signals hiring teams start to recognize.
Even so, Amazon appears to be leaning heavily on automation and verification. According to Schmidt, the company runs AI-powered screening that analyzes ties to nearly 200 high‑risk institutions, flags anomalies across applications, and looks for geographic inconsistencies. Human teams then validate identities through background checks, credential review, and structured interviews. It sounds straightforward until you consider the scale of global hiring pipelines, where a single enterprise might process tens of thousands of applicants every quarter.
And yet, threat actors evolve when patterns get blocked. Schmidt said some DPRK workers have shifted away from pure fake identities and now hijack dormant LinkedIn profiles belonging to real software engineers. It’s easy to see why: a long‑established profile with authentic work history, conferences, and recommendations instantly smooths over the credibility gaps that often sink fake personas. It also forces hiring teams to rethink how much trust they place in platforms built for networking, not authentication.
Another wrinkle is the rise of American “laptop farmers.” These intermediaries receive corporate laptops meant for the supposed US‑based new hires and then host them on behalf of the overseas workers. The result is that the devices appear to be operating from within the United States. Okta Threat Intelligence flagged this pattern earlier this year, noting that DPRK-linked applicants are now popping up far outside traditional IT roles—in finance, healthcare, public administration, and professional services. That expansion alone should prompt HR, security, and compliance teams to talk more often than they probably do now.
Parallel to the hiring scam, security researchers are tracking an updated version of BeaverTail, an infostealer and malware loader associated with multiple subgroups inside the Lazarus Group. Darktrace reported that a sample recovered in November contained more than 128 layers dedicated purely to concealment and used decoy payloads to slip past defenses. It’s a lot of effort for a loader, but that’s the point: BeaverTail plays a long game by helping operators quietly deliver the Python‑based InvisibleFerret backdoor across Windows, macOS, and Linux.
The surveillance capabilities tied to BeaverTail—keylogging, screenshot capture, clipboard monitoring—are classic data exfiltration techniques, but they’re increasingly aimed at cryptocurrency wallet theft. That overlaps with the regime’s broader financial strategy, documented across multiple US government advisories and underscored by data on DPRK’s crypto theft volume published by sources like Chainalysis. It’s one of those areas where the economic and espionage sides of the operation blur together.
Infosec teams will note that BeaverTail is linked to several Lazarus offshoots, including Famous Chollima, Gwisin Gang, and Tenacious Pungsan. Those subgroups have different operational styles, but the tooling overlap reinforces what analysts have said for years: the DPRK cyber ecosystem shares infrastructure, codebase elements, and occasionally personnel in ways that can make attribution messy.
Companies looking for immediate actions don’t have to guess at where to start. Schmidt pointed to keystroke lag during interviews as one real‑world giveaway. He also suggested querying internal HR data for recurring patterns across resumés, emails, phone numbers, and educational claims. It’s basic hygiene but often overlooked because hiring systems tend to optimize for speed, not security.
You can almost hear an unspoken question emerging for B2B teams: how many of your processes assume that an applicant’s digital identity is both authentic and controlled by the same person on the other end of the call? It’s a small question with a large blast radius.
Still, no single safeguard is enough. Schmidt advocated combining multistage identity verification with monitoring for suspicious technical behavior, such as unusual remote access or unauthorized hardware. Some organizations already do that for contractors working on sensitive systems. The challenge now is deciding where that line should fall for the rest of the workforce.
The intersection of fraudulent hiring pipelines and increasingly stealthy malware isn’t just a security story; it’s operational risk sitting in plain sight. As Schmidt’s numbers make clear, enterprises are dealing with a persistent campaign that treats corporate hiring as a revenue stream and foothold opportunity. And the people running it are getting better at blending in.
