The company says fake North Korean job applications are likely occurring widely, especially for AI and machine learning roles.
Amazon’s top security executive said that over the past 20 months, the company has blocked more than 1,800 North Korean nationals from obtaining remote internet technology jobs that would ultimately fund weapons programs in the country.
Stephen Schmidt, senior vice president and chief security officer (CSO) at Amazon, said in a Dec. 19 LinkedIn post that North Korean operatives in increasing numbers are using artificial intelligence (AI) and manipulating LinkedIn to apply for remote software engineering jobs.
Amazon blends an AI screening process with human verification to filter job applications, Schmidt said. The company has detected a 27 percent quarter-over-quarter rise in job applications from North Korean affiliates.
In late June, the Justice Department announced a coordinated crackdown against North Korea due to the country using stolen or fake identities to obtain IT jobs in the United States. North Korean operatives had secured employment at more than 100 U.S. organizations, including multiple Fortune 500 companies, the department’s investigation found.
At Amazon, Schmidt said his security team uses artificial intelligence to analyze connections at nearly 200 high-risk institutions to detect anomalies across job applications, as well as geographic inconsistencies. The company vets the identity and country of origin of job applicants through a combination of interviews, background checks, and credential verification.
“As CSO of one of the world’s largest employers, my team sees these threats at a scale few organizations do,” Schmidt said in his post. “That gives us unique visibility into how these operations evolve and a responsibility to share what we’re learning.”
The sharp increase in phony job applications from North Korea isn’t limited to just Amazon; Schmidt said it’s likely occurring on a much larger scale, particularly at companies desperate for talented employees for AI and machine learning roles.
According to Palo Alto Network’s 2025 Global Incidents Report, insider cyber threat cases from North Korea tripled in 2024. Although large tech companies remain primary targets, North Korean operatives in 2024 expanded their reach to include financial services, media, retail, logistics, entertainment, telecommunications, IT services, and government defense contractors.
“North Korean threat actors exploit traditional hiring processes with stolen or synthetic identities backed by detailed technical portfolios,” the report stated. “These portfolios can include legitimate references obtained through identity manipulation and previous real work histories that pass basic verification.”
By Rob Sabo
