Amazon identified a suspected North Korean IT worker after keystroke telemetry from a contractor laptop showed latency inconsistent with the worker’s claimed U.S. location. Security staff found the machine was being remotely controlled and traced the traffic as far as China, then compared the application and resume against patterns seen in other DPRK remote-worker schemes. Amazon said it has foiled more than 1,800 North Korean hiring attempts since April 2024, with quarterly attempts rising on average in 2025. The case highlights practical detection opportunities for organizations, including endpoint monitoring, remote-control detection, latency anomalies, resume-pattern review, and stronger vetting beyond LinkedIn checks.