110 Milliseconds of Suspicion: How Amazon Caught a North Korean Hacker by Keystroke Lag
Amazon's security team uncovered a North Korean imposter working as a sysadmin after detecting a telltale 110ms keystroke delay—revealing a massive infiltration campaign with 1,800+ attempted breaches since April 2024.
It started with a barely noticeable twitch. When a new systems administrator logged into their Amazon workstation from Arizona, something imperceptible to the human eye was happening—a tiny delay between each keystroke and its appearance on screen. 110 milliseconds. In the world of remote work, where network latency is usually measured in tens of milliseconds, this was a red flag the size of a billboard. It would become the thread that unraveled one of the most ambitious infiltration campaigns ever attempted against a U.S. corporation.
The Smoking Gun: A Keystroke Delay That Shouldn’t Exist
Amazon’s security team didn’t catch this imposter through flashy zero-day exploits or sophisticated malware. They caught them through physics—or rather, through the laws of network latency that even the most determined attacker can’t fully overcome.
When you type on a computer that’s directly connected to your network, your keystrokes travel to the server in milliseconds. A U.S.-based remote worker should experience latency in the range of 10-50 milliseconds. But this employee’s keyboard input lag was “more than 110 milliseconds,” according to reports. That extra delay had a simple explanation: someone else was controlling the laptop remotely from thousands of miles away, adding layers of network hops between the actual operator and the machine.
Amazon’s Chief Security Officer, Stephen Schmidt, explained the discovery to media outlets: the company’s security software flagged unusual behavior on the employee’s Amazon laptop monitor. When analysts dug deeper, they determined that the machine was being remotely controlled—a telltale sign that the person who had been hired wasn’t actually sitting in front of the keyboard.
A Campaign of Staggering Scale
This wasn’t an isolated incident. It was the tip of a massive iceberg.
Since April 2024, Amazon has foiled more than 1,800 infiltration attempts originating from North Korea. The campaign shows no signs of slowing down. In fact, Amazon is tracking a 27% quarter-over-quarter increase in attempted breaches, suggesting that North Korean operatives are doubling down on their strategy of infiltrating U.S. companies.
The goal? Profit, espionage, and access to critical systems. North Korea, under international sanctions and desperate for hard currency, has turned infiltration into a state-sponsored enterprise. By placing operatives inside major tech companies, they gain access to sensitive data, intellectual property, and infrastructure that can be weaponized or sold.
How They Got In (And What Almost Worked)
The mechanics of this operation reveal a disturbing level of sophistication—and a chilling willingness to use proxies and stolen identities.
What to watch for in credential-based infiltration:
- Unusual keystroke latency or input delays
- Fumbling use of American idioms and English-language articles in written communication
- Unusual login times or geographic inconsistencies
- Remote desktop protocol (RDP) activity that doesn’t match the employee’s profile
- Behavioral inconsistencies compared to baseline user activity
The North Korean operatives didn’t appear out of nowhere. They relied on insiders—people willing to help them obtain legitimate employment at major corporations. One woman was sentenced to several years in prison in 2024 for facilitating the fraud. She had provided access to an Amazon laptop located in Arizona, which the North Korean operators then controlled remotely. It’s unclear if she helped with the initial hiring or if she was recruited after an imposter was already in place, but either way, she was a critical link in the chain.
Some reports suggest that the hiring process itself may have involved proxy candidates—people who showed up for interviews and passed the vetting process, only for a completely different person to show up on the first day of work. In large organizations with multiple hiring managers and layers of bureaucracy, such a switcheroo could go unnoticed for weeks or even months.
The Detective Work That Made the Difference
What’s remarkable about Amazon’s success isn’t just that they caught one infiltrator—it’s that they’ve caught so many. And according to Schmidt, the reason is straightforward: they were actively looking for them.
“If we hadn’t been looking for the DPRK workers,” Schmidt said, “we would not have found them.”
This is the unsexy reality of modern cybersecurity. The most advanced threat detection doesn’t come from AI or machine learning alone. It comes from security teams that are paranoid in the right way—that maintain baseline profiles of normal user behavior, that monitor for network anomalies, and that have the resources to investigate suspicious signals.
Amazon’s security software was instrumental in this case. The system flagged the unusual keystroke lag, but human analysts had to interpret that signal and dig deeper. They examined network logs, behavioral patterns, and the technical indicators that revealed remote control activity. The investigation required both automation and human judgment.
A Broader Pattern of State-Sponsored Infiltration
This isn’t unique to Amazon or North Korea. The threat of state-sponsored actors infiltrating corporate networks is escalating globally.
Earlier in 2024, five people were convicted for helping North Korean IT workers pose as Americans and secure jobs at U.S. firms. The FBI has conducted major seizures of equipment and cryptocurrency tied to North Korean hacking operations. Reports suggest that similar campaigns are underway from Iran, Russia, and China—each seeking to plant operatives inside critical infrastructure, tech companies, and financial institutions.
The 110-millisecond delay that exposed the Amazon infiltrator is likely to become a textbook case in cybersecurity training. It’s a reminder that sometimes the most powerful detection methods aren’t exotic—they’re the basics done exceptionally well. Network monitoring. Behavioral analysis. A security team that’s looking in the right direction.
The Tip of the Iceberg
Amazon’s disclosure of this case raises an uncomfortable question: how many infiltrators have not been caught? How many companies lack the security infrastructure, the resources, or the paranoia necessary to detect a 110-millisecond delay in keystroke input?
The answer, observers suggest, is probably far more than any of us would like to admit. State-sponsored actors are patient, well-funded, and learning from each failure. They’ll adapt. They’ll find new ways to mask latency. They’ll invest in better proxies and more sophisticated social engineering.
But for now, in this moment, Amazon caught them. And a barely perceptible delay in the speed of light itself became the smoking gun in one of the year’s most significant cybersecurity victories.