Amazon Exec Issues Major Warning About Threat to U.S. Companies
The retail giant Amazon has made a major decision affecting 1,800 job applications, and a top executive is issuing a warning to other companies about a looming threat.
Stephen Schmidt, who is 2nd senior vice president and chief security officer at Amazon, revealed in a LinkedIn post in late December 2025 that Amazon has stopped more than 1,800 suspected North Korean "operatives" from getting remote IT jobs at the company.
"Over the past few years, North Korean (DPRK) nationals have been attempting to secure remote IT jobs with companies worldwide, particularly in the U.S. Their objective is typically straightforward: get hired, get paid, and funnel wages back to fund the regime's weapons programs," he wrote.
Schmidt's Post Revealed That North Korean Job Applications Are Growing at Amazon
(Photo by Jakub Porzycki/NurPhoto via Getty Images)
At Amazon, Schmidt wrote, "we've stopped more than 1,800 suspected DPRK operatives from joining since April 2024, and we've detected 27% more DPRK-affiliated applications quarter over quarter this year."
"Our detections combine AI-powered screening with human verification. Our AI model analyzes connections to nearly 200 high-risk institutions, anomalies across applications, and geographic inconsistencies. We verify identities through background checks, credential verification, and structured interviews," he added.
"As CSO of one of the world's largest employers, my team sees these threats at a scale few organizations do. That gives us unique visibility into how these operations evolve and a responsibility to share what we're learning," wrote Schmidt.
The Amazon Exec Revealed That the Operatives' Efforts Have 'Become More Calculated'
Schmidt also listed a number of ways he said the strategies are getting more sophisticated and calculated. He wrote:
- "Identity theft has become more calculated. These operatives target actual software engineers who provide real credibility, rather than people with minimal online presence."
- "Their LinkedIn strategies are getting sophisticated. We're seeing them hijack dormant accounts through compromised credentials to gain verification. We've also identified networks where people hand over access to their accounts in exchange for payment."
- "They're increasingly targeting AI and machine learning roles, likely because these are in higher demand as companies adopt AI."
- "These operatives often work with facilitators managing 'laptop farms': U.S. locations that receive shipments and maintain domestic presence, while the worker operates remotely from outside the country."
- "Educational backgrounds keep changing. We've watched the strategy shift from East Asian universities, to institutions in no-income-tax states, to now California and New York schools. We look for degrees from schools that don't offer claimed majors, or dates misaligned with academic schedules."
- "Small details give them away. For example, these applicants often format U.S. phone numbers with '+1' rather than '1.' Alone, this means nothing. Combined with other indicators, it paints a picture."
He added that the operatives' efforts are not only targeting Amazon.
In June 2025, the U.S. government warned of the same scheme. "The Justice Department announced today coordinated actions against the Democratic People’s Republic of North Korea (DPRK) government’s schemes to fund its regime through remote information technology (IT) work for U.S. companies," a U.S. Department of Justice press release says.
"These actions include two indictments, an information and related plea agreement, an arrest, searches of 29 known or suspected “laptop farms” across 16 states, and the seizure of 29 financial accounts used to launder illicit funds and 21 fraudulent websites."