Invisible to humans, obvious to AI: Amazon’s 110-millisecond lesson in remote work security

In late 2025, Amazon disclosed a security incident that, on the surface, sounded almost trivial. A remote IT worker had been unmasked as a foreign infiltrator because of a slight delay in keystroke timing. About 110 milliseconds. Barely noticeable to a human. Invisible to traditional security controls.

But that detail is precisely why the case matters.

The worker had valid credentials. He had passed hiring checks, used approved tools. There was no malware, no exploit, no policy violation in the conventional sense. What exposed the intrusion was behavior that didn’t quite align with what Amazon’s systems understood as “normal” for a U.S.-based remote employee. That small, consistent latency triggered deeper investigation and ultimately revealed that the system was being remotely controlled from abroad, tied to a fabricated identity and a broader North Korean remote worker scheme.

Amazon later confirmed it had blocked more ...