A candidate posing as Japanese software developer Taro Aikuchi froze and failed to repeat the phrase “Kim Jong Un is a fat ugly pig” during a video job interview on April 6, 2026, prompting immediate suspicions that he was a North Korean operative using a fabricated identity.
The interviewer, blockchain security researcher Tanuki42 on X, recorded the exchange and posted the 82-second clip, in which the candidate who is appearing on camera wearing glasses and a blue sweater, hesitated for several seconds, averted his eyes, stuttered partial denials and never completed the sentence. He later claimed “not north korean” before the call ended abruptly.
In an earlier round of the same interview, shared later by Tanuki42, the candidate said he was familiar with North Korea research. The connection dropped the instant he was asked to say “F**k Kim Jong Un.” He reconnected and apologized for the “mysterious” technical issue. Tanuki described the tactic as a reliable filter since he haven’t found any North Korean hackers passing this question.
Here is a video of a North Korean IT worker being stopped dead in their tracks upon being required to insult Kim Jong Un.
It won’t work forever, but right now it’s genuinely an effective filter. I’m yet to come across one who can say it. https://t.co/8FFVPxNm8X pic.twitter.com/KXI5efMo5L
— tanuki42 (@tanuki42_) April 6, 2026
Within hours of the video spreading, the candidate changed his Telegram handle from @cryptotrading2150 to @cryptodegen202, wiped the chat history and blocked the interviewer.
Details released by the cybersecurity researcher for tracking purposes include the identity used by the individual as Taro Aikuchi, purportedly from Meguro City, Japan. Associated contact information includes multiple email addresses, an X account handle, a LinkedIn profile, and a GitHub repository (0xbomb215), which shows activity dating back to 2019, including work on Solana-based bots, flash loan mechanisms, NFT marketplaces, and token launchpads. The IP address logged during the call matches indicators previously linked to North Korean remote-desktop operations.
The GitHub repository under 0xbomb215 remained publicly accessible as of April 7. Most other profiles tied to the persona have been restricted or removed.
North Korea has for years run a large-scale program sending thousands of workers abroad, often routed through China or Russia, to take remote IT and software jobs at Western companies under false identities. The revenue generated, estimated in the hundreds of millions of dollars annually, is funneled back to the regime to support weapons programs, nuclear development and state-sponsored cyber operations, including those by the Lazarus Group.
Operatives typically use polished resumes, fabricated GitHub histories and remote-desktop tools such as AnyDesk or RustDesk while operating under strict regime monitoring. Behavioral indicators documented by cybersecurity researchers include sudden connection drops during sensitive questioning, accent slips inconsistent with claimed nationalities and hesitation on topics tied to ideological loyalty.
full video through the cognitive load pipeline i am currently working on
it caught cognitive load spikes during:
– first mention of hacker groups
– during first mention of north korea
– during the evasion from insulting kim jong-unnot a silver bullet but far beyond nothing https://t.co/IxK7eGGj2b pic.twitter.com/UaJgnSlXXw
— igmut (@igxmut) April 6, 2026
The incident drew widespread attention across blockchain and cybersecurity communities, with researchers pointing to a contrast between the candidate’s professional presentation and his visible hesitation during the exchange. Some also noted the irony of a sophisticated infiltration attempt appearing to falter
One of the researchers said the footage showed a spike in “excessive thinking” when North Korea was mentioned, based on observed behavioral cues. The clip shows the individual pausing and struggling when asked to insult Kim Jong Un, a reaction some observers described as a potential indicator for identifying suspected North Korean IT workers.
The “Kim test” exploits North Korea’s extreme cult of personality, under which public criticism of their supreme leader can result in severe punishment for the individual and, under the country’s collective punishment system, for family members. The tactic is not new in cybersecurity circles but live video evidence of it succeeding in real time is rare.
Author’s Opinion
Such behavioral filters are temporary. North Korean operators have adapted in the past by refining tradecraft, including deeper identity fabrication and AI-assisted audio and video. It is recommend to combe the test with stricter controls such as verified video identification, controlled-environment coding assessments and company-issued devices.
Remote hiring in high-value sectors such as software development and decentralized finance has created an attractive target for state-backed actors seeking to generate revenue and potentially insert backdoors or exfiltrate data. The case illustrates that technical credentials alone are no longer sufficient proof of legitimacy when identity fraud can be executed at scale.
