A North Korean imposter was uncovered, working as a sysadmin at Amazon U.S., after their keystroke input lag raised suspicions with security specialists at the online retail giant. Normally, a U.S.-based remote worker’s computer would send keystroke data within tens of milliseconds. This suspicious individual’s keyboard lag was “more than 110 milliseconds,” reports Bloomberg.
Amazon is commendably proactive in its pursuit of impostors, according to the source report. The news site talked with Amazon’s Chief Security Officer, Stephen Schmidt, about this fascinating new case of North Koreans trying to infiltrate U.S. organizations to raise hard currency for the Democratic People’s Republic of Korea (DPRK), and sometimes indulge in espionage and/or sabotage.
Right? I never heard of tracking employee’s keystroke latency before. Pretty genius.
How do they even?? They can’t know the difference in time between the humans key input and the computer’s receipt of it, since they can’t possibly know the exact millisecond the human input was made…?
The reported article really sounds like a misreading of a more technical document
If you’re on an ssh connection to a server, they can probably track the keystroke latency and average out over time. All network packets have timestamps, so you can know the latency of each one. If it’s consistently high, that’s unlikely to be a fluke or temporary network slowness.
Tcp/ip packets don’t have timestamps. They wouldn’t be reliable even if they did. And they certainly wouldn’t be “millisecond accurate”.
But apparently they remotely used a laptop located in the US, so from there it should’ve been fine, no? Unless it was simply used as a proxy.
Vdi tracks round trip latency but 100ms isn’t that far.
I bet they didn’t use keystroke latency but that’s what they said they used. They probably used drone reconnaissance.
Yeah 100ms is like coast-to-coast US
Light in fiberoptic travels at about 0.66c, or about 124,000 mi/sec. Data on copper actually has an advantage here, travelling at 0.99c, but it’s not sustainable for long distance.
100ms being 1/10th of a second would be 12,400 miles.
The earth is about 24,000 miles at the equator.
At most, 100ms one-diredtional would be literally halfway around the world.
Of course, I have 60ms packet latency to my office 45 miles away as the crow flies. So maybe packet latency isn’t the best way to tell.
Cool.
They had the drone follow the fibre cable all the way to NK
Average response from entering a line and starting the next. There’s a delay while the information is sent, and before they start typing the next line.
Hopefully someone can share the original paywalled Bloomberg article, maybe it goes into more detail
Reader mode worked for me: https://www.bloomberg.com/news/newsletters/2025-12-17/amazon-caught-north-korean-it-worker-by-tracing-keystroke-data
But if you need the archive link: https://archive.ph/p4AcP
It’s actually common for micromanaging to have software that tracks this. I believe Microsoft Teams has something similar managers can use to track “productivity”. Someone probably just compiled all of it and clicked sort, then saw some Asian name at the top and that’s what raised the red flag.