Lag. We all know it, and we’ve all felt the frustration that it wreaks, whether you’re caught in a crunchy video call or watching a pal haplessly teleport around the map in Arc Raiders. However, it’s now being used as an unlikely piece of evidence in another bizarre tale of alleged corporate espionage.
Amazon began to suspect something was amiss when it looked at the keystroke data from a new IT hire. To the company’s knowledge, the employee was US-based so there should have been a comfortably less than 100 millisecond delay between them typing commands on their corporate laptop, and those inputs reaching the head office in Seattle. However, the delay was in fact 110 milliseconds, suggesting the employee was based further afield than first thought.
Amazon’s Chief Security Officer Stephen Schmidt communicated to Bloomberg a bizarre bigger picture. It turns out the employee with the lag was in fact a North Korean attempting to skirt international sanctions and funnel money back into the Democratic People’s Republic of Korea (or DPRK) via remote work. After a few days of investigation and monitoring, they were ousted from Amazon’s systems.
According to Schmidt, the company has thwarted 1,800 similar attempts by North Koreans to be hired by Amazon since April 2024. Apparently it’s an increasing trend, as Amazon has seen on average a 27% increase in such attempts from quarter to quarter this year alone. None of these North Korean remote workers are hired directly by Amazon; many attempt to be hired via a US-based contractor, who then acts as a proxy for the North Korean remote worker.
We’ve seen similar stories before, most memorably with one Arizona woman acting as a proxy to hundreds of North Koreans via 90 corporate laptops.
The concern with such proxies is that they are aiding in the diversion of funds towards the DPRK’s weapons program—and this particular proxy alone allegedly generated $17 million in illicit revenue. The woman acting as a proxy pleaded guilty “to conspiracy to commit wire fraud, aggravated identity theft, and conspiracy to launder monetary instruments,” according to the US Department of Justice. She has since been sentenced to more than eight years in prison.
While this particular proxy used a number of false identities in order to secure the remote work, Schmidt explains that this isn’t always the case. He says there are often tells on a North Korean remote worker’s resume, such as the same schools cropping up or the inclusion of experience at overseas consulting firms that are difficult for a US-based hiring team to verify.
But notably Schmidt tells Bloomberg, “If we hadn’t been looking for the DPRK workers, we would not have found them.”
The keystroke lag was only brought to greater internal attention at Amazon when monitoring systems on the remote workers corporate laptop alerted the security team of unusual behaviour. Investigation found the machine was being remote controlled, but the activity could only be traced as far as China initially. Ultimately, the remote worker’s resume was what gave them away, bringing to a close another strange chapter in the dark side of remote work.
