Amazon blocked 1,800 suspected North Korean scammers seeking jobs

Plus: Lazarus Group has a brand new BeaverTail

by · The Register

Even Amazon isn't immune to North Korean scammers who try to score remote jobs at tech companies so they can funnel their wages to Kim Jong Un's coffers.

The cloud giant has stopped more than 1,800 suspected scammers from the Democratic People's Republic of Korea (DPRK, aka North Korea) from joining its workforce since April 2024, Amazon Chief Security Officer Steve Schmidt said Thursday.

"And we've detected 27 percent more DPRK-affiliated applications quarter over quarter this year," Schmidt said in a LinkedIn post.

North Korea’s fake worker scam sees real developers use fake or stolen identities to apply for remote jobs at US and European companies. Applicants often use AI tools to help draft resumés or develop social media personas, and sometimes the scammers even use deepfakes during video interviews to increase their chances of getting hired.

Once they're employed, they remit much of their income to the North Korean regime, which, according to the US government, uses it to fund weapons programs.

Most Fortune 500 companies have fallen for the scam, which has cost American businesses tens of millions of dollars.

In some cases, the fraudsters use their insider access to steal proprietary source code and other sensitive data, and then extort their employers with threats to leak corporate data unless a ransom is paid.

"We believe, at this point, every Fortune 100 and potentially Fortune 500 has a pretty high number of risky employees on their books," Socure Chief Growth Officer Rivka Little told The Register in an earlier interview.

BeaverTail back, badder than ever

In addition to using fake IT workers to support its illicit activities, DPRK-linked crews have also developed a newer variant of BeaverTail, an infostealer and malware loader, that adds sophisticated obfuscation abilities and signature evasion.

Darktrace researchers say an updated sample of the malware they uncovered in November contained more than 128 layers dedicated entirely to concealment and used decoy payloads to evade detection.

Infosec researchers have linked the malware to multiple subgroups, including Famous Chollima, Gwisin Gang, and Tenacious Pungsan, within the Lazarus Group, and believe attackers used it in the ongoing Contagious Interview campaign.

BeaverTail has been seen targeting Windows, macOS, and Linux systems, and is frequently used to load the Python-based InvisibleFerret backdoor. In addition to the usual info-stealer capabilities, it also has several surveillance features including keylogging, screenshot capture, and clipboard monitoring – which attackers use to steal cryptocurrency wallet data.

According to Schmidt, Amazon uses a combination of AI screening and human verification to filter out suspected fraudsters.

"Our detections combine AI-powered screening with human verification," he wrote. "Our AI model analyzes connections to nearly 200 high-risk institutions, anomalies across applications, and geographic inconsistencies. We verify identities through background checks, credential verification, and structured interviews."

But even with this amount of compute-and-people-power, it's getting more difficult to detect fake IT workers.

Some North Korean operatives have moved on from creating fake online identities and instead inhabit real software engineers' identities by using stolen credentials to hijack dormant LinkedIn accounts to add credibility to their job applications, Schmidt said.

Plus, they often work with American laptop farmers who receive corporate laptop shipments and host computers for overseas IT workers posing as US residents, enabling the devices to appear to be operating from within the United States.

As Okta Threat Intelligence pointed out earlier this year, fraudsters are interviewing at a growing number of firms outside the IT sector including finance, healthcare, public administration, and professional services.

Companies can defend against this risk, as The Register has previously reported.

As Schmidt told Bloomberg, keystroke lag is one giveaway.

Small details, such as formatting US phone numbers with "+1" rather than "1," or degrees from schools that don't offer claimed majors – when combined with other indicators – can also be strong hints, he wrote on LinkedIn.

"If you're concerned about these threats in your organization, query your databases for common indicators: patterns in resumés, emails, phone numbers, educational backgrounds," Schmidt said. "Implement identity verification at multiple hiring stages and monitor for anomalous technical behavior: unusual remote access, unauthorized hardware." ®

You have a fake North Korean IT worker problem – here's how to stop it: Thick resumes with thin LinkedIn connections are one sign. Refusing an in-person interview is anotherJessica Lyons, 13 Jul 2025I'm a security expert, and I almost fell for a North Korea-style deepfake job applicant …TwiceRemote position, webcam not working, then glitchy AI face ... Red alert!Jessica Lyons, 11 Feb 2025Laptop farmer behind $17M North Korean IT worker scam locked up for 8.5 years: Plus she has to cough up a slice of Pyongyang’s paydayJessica Lyons, 24 Jul 2025Kim's crypto thieving reached a record $2B in 2025: ByBit attack doing some seriously heavy liftingConnor Jones, 18 Dec 2025