A North Korean imposter was uncovered, working as a sysadmin at Amazon U.S., after their keystroke input lag raised suspicions with security specialists at the online retail giant. Normally, a U.S.-based remote worker’s computer would send keystroke data within tens of milliseconds. This suspicious individual’s keyboard lag was “more than 110 milliseconds,” reports Bloomberg.
Amazon is commendably proactive in its pursuit of impostors, according to the source report. The news site talked with Amazon’s Chief Security Officer, Stephen Schmidt, about this fascinating new case of North Koreans trying to infiltrate U.S. organizations to raise hard currency for the Democratic People’s Republic of Korea (DPRK), and sometimes indulge in espionage and/or sabotage.
Sounds much better than “Amazon surveils keystrokes of its IT workers”!
This was also my takeaway. Sounds like a security nightmare if they are logging any data.
If you use a company-provided computer for work, then it’s safe to assume they’re already doing that.
The problem is that you don’t want to record important information like passwords so if they did log them, it’s another possible vector of loss. I e if someone got into that copy of the data
That’s a valid point.
Well it isn’t paranoia if North Korean impostors really are working in your company.
Yeah, hate it all you want. But risk scales with the amount of employees you have. At the scale of Amazon you have to do literally everything to minimise risk.
How am I the first person to ask why they’re measuring the latency on everyone’s keystrokes?
On one side I feel like “cool, they managed to find a spy on this sophisticated way”
On the other side I’m thinking what kind of intrusive keylogging malware did they install on all their employees laptops…
I mean, if it’s a company-owned laptop, they can do whatever the fuck they want with it. I bring a personal laptop to work for browsing and YouTube and whatnot, attached to a VPN.
This article is just building justification for spying on your employees
I guess this is inevitable at huge companies. Nobody cares about the actual person you’re hiring, it’s just another position to fill. Of course there will be fakes of all kinds.
It’s not that, it’s that they are incredibly sophisticated in their techniques. I just had to sit through 90 minutes of training about how to spot fake applicants.
I don’t get why companies can’t solve this problem entirely by just flying out applicants for in-person interviews towards the end of the hiring process. Or hell, maybe only even ask the candidate to fly out for a visit after they’ve already accepted the job offer. Just one minimal and relatively cheap step to confirm the remote worker you’re hiring is who they claim to be. For the cost of a flight, a night or two in a hotel, and some meal vouchers, you can verify someone’s identity. Sure, maybe not for freelance work. But for any well paid technical field? This is a trivial expense.
It not practical at a remote first company to fly people out to where we happen to have offices when they could be working from anywhere.
It’s cheap-ish for a flight, but at scale, the starts to become an expensive hiring pipeline.
So what did you learn?
It’s more a list of warnings signs.
- blurred/virtual background (we make them turn it off during interviewing)
- refusal to do gestures or follow specific instructions (wave your hand in front of your face)
- not familiar with local knowledge like weather
- appearing to read from the screen or phone
There’s more than that, but those are the highlights.
Yeah capitalism says: but cheaper worker ok
I wonder how many they’ve missed over the years, this kind of thing has been occuring since at least 2012.
Reminded me of the ‘critical infrastructure company’ (I presume utility) software developer who handed all his credentials over to a worker in China, including mailing them his RSA keyfob, and wasn’t discovered for months until the company security team noticed VPN logins coming from China.
Apparently it’s become even easier for malicious remote workers to fake resumes and identities to gain jobs via AI, so I hope all major companies are monitoring their remote access very closely.
deleted by creator
weasel language. the “infiltrators” are literally working a job for them.
Correct. The hostile actor gained employment with their victim, a common method of infiltration. You should look up the definition of infiltration.
working a job is not infiltration.
It kinda is, its practically a requirement for a lot of corporate espionage and a lot of spies have entire lives alongside their spy duties. Also fun joke I’ve heard about Vladivostok during the Cold war, “There were surprisingly only a handful of people in that city, American spies, Soviet counter intelligence, smugglers, cargo movers, and baristas who ignored the whole mess” heard that from an ex-CIA guy who was doing a talk at a spy exhibit back when I was a kid.
so? does working a job == espionage because it’s north korea? i don’t think they have ever gone at war or any kind of open conflict with western countries at all recently excluding the thing with south korea and the us not liking their existence…?
why are their workers totally all spies as opposed to say, chinese ones, which might even have a stronger interest in keeping an eye on the west? you don’t seem to have much issue with them.
as i said to me, it sounds like weasel language to smear this specific country for trying to get around the sanctions imposed on them.
The Norks have quite literally done data breaches and major hacks via this exact method in the past. They basically have nothing to lose on the international level so they do this and then trade it to countries like China or Russia for whatever it is they want. If they didn’t have a documented history of doing shit like that nobody would assume espionage.
If they didn’t have a known tendency towards weird espionage shit going back to the 50 and 60s nobody would care, but they do have a known tendency towards doing weird espionage shit.
and the chinese has been stealing back tech from you for decades this exact way, but you don’t mind them working for you.
maybe if they weren’t santioned from hell and back.
By itself no, but employment absolutely is compatible with infiltration. In fact, it doesn’t even have to be a foreign-state actor, or even a witting party (e.g. clicking on stuff in spam mail). See: insider threat, and data exfiltration.
Yeah, and its curious to see you getting downvotes for the intra-departmental outsourcing that’s been rampant through the tech sector for a while now.
What we’ve got isn’t some nefarious plot by the Chinese-Adjacent to invade our precious trillion dollar tech industry. Its the deliberate consequence of sanctioning a country to the hilt to devalue local labor, then exploiting the sanctioned locals to extract labor at below market rate.
This is not some kind of facewashing?
No
deleted by creator
Isn’t this an example of them taking it pretty seriously?
Right? I never heard of tracking employee’s keystroke latency before. Pretty genius.
How do they even?? They can’t know the difference in time between the humans key input and the computer’s receipt of it, since they can’t possibly know the exact millisecond the human input was made…?
The reported article really sounds like a misreading of a more technical document
If you’re on an ssh connection to a server, they can probably track the keystroke latency and average out over time. All network packets have timestamps, so you can know the latency of each one. If it’s consistently high, that’s unlikely to be a fluke or temporary network slowness.
Tcp/ip packets don’t have timestamps. They wouldn’t be reliable even if they did. And they certainly wouldn’t be “millisecond accurate”.
Vdi tracks round trip latency but 100ms isn’t that far.
I bet they didn’t use keystroke latency but that’s what they said they used. They probably used drone reconnaissance.
Yeah 100ms is like coast-to-coast US
Hopefully someone can share the original paywalled Bloomberg article, maybe it goes into more detail
Reader mode worked for me: https://www.bloomberg.com/news/newsletters/2025-12-17/amazon-caught-north-korean-it-worker-by-tracing-keystroke-data
But if you need the archive link: https://archive.ph/p4AcP
Average response from entering a line and starting the next. There’s a delay while the information is sent, and before they start typing the next line.
It’s actually common for micromanaging to have software that tracks this. I believe Microsoft Teams has something similar managers can use to track “productivity”. Someone probably just compiled all of it and clicked sort, then saw some Asian name at the top and that’s what raised the red flag.
