Amazon has disclosed that it is blocking more than 1,800 job applications for remote IT positions suspected of being linked to North Korea. According to BBC News, the applications are being submitted by operators using stolen or fraudulent identities. Amazon's Chief Security Officer, Stephen Schmidt, highlighted in a post published on LinkedIn that North Korean applications have increased by nearly one-third over the past year. According to Schmidt, these operators typically work with individuals managing "laptop farms"—a term referring to clusters of computers stationed on U.S. territory but accessed remotely from outside the country.
According to Schmidt's account, the group's objective is defined as "get hired, get paid, and funnel wages back to fund the regime's weapons programs"; in other words, this structure creates a financial cycle in which individuals are hired, receive salaries, and funnel earned wages to North Korea's weapons programs. Schmidt notes that similar operations are continuing on a large scale across the industry; therefore, Amazon is screening not only its own applicant pool but also its broader supplier and contractor network against similar risks. The company's approach signals that the technology sector is making increasingly serious investments in insider threat mitigation.
The scale of the problem extends beyond individual applications. In June 2025, the U.S. government announced that it had identified 29 "laptop farms" operating illegally nationwide. According to the Department of Justice (DOJ)'s assessment, these farms use stolen or fabricated identities of American citizens to enable North Korean IT workers to find jobs in the U.S. This operational model exploits blind spots in employer identity verification processes during an era of widespread remote work; deepfake tools used in video interviews, fabricated work histories, and bank accounts opened through third parties emerge as components of this chain.
The implications of this situation for supply chain security and third-party risk management are significant. Global employers struggle to verify the genuine identities of candidates applying for remote developer positions; individuals hired under fraudulent identities not only facilitate the channeling of salaries to sanctions regimes but also create insider threat scenarios that pose risks of unauthorized access to critical systems. Amazon's approach points to the need for deepened identity verification layers, strengthened IP and device fingerprinting tracking, and continuous updates to OFAC sanctions compliance programs. The company states that it is sharing threat intelligence with industry stakeholders and that patterns related to these applications are being converted into common threat indicators circulating across the sector. Ultimately, this incident demonstrates that the remote work ecosystem is transitioning to a new layer of scrutiny in the supply chain security domain.
Key Points:
1. Amazon is blocking more than 1,800 suspected North Korean job applications.
2. CSO Stephen Schmidt observed an increase of approximately one-third in application volume over the past year.
3. The laptop farm model allows devices in the U.S. to be accessed remotely from outside the country.
4. The DOJ identified 29 illegal laptop farms in June 2025.
5. Salaries obtained are being funneled to the regime's weapons programs.
Your feedback would make us happy.
Wishing you happy reading.
