North Korean IT Worker Exposed for Refusing Kim Unmasked After

Circulating within cybersecurity and crypto circles, a viral video has exposed a novel and surprisingly simple technique for unmasking North Korean state-sponsored IT workers attempting to infiltrate Western organizations: asking them to insult their Supreme Leader.

The footage shows a job candidate, Taro Aikuchi, a Japanese national, identifying himself and refusing to repeat the phrase about Kim Jong when prompted by an interviewer.

The candidate’s visible discomfort and flat-out refusal to comply with the seemingly absurd request immediately raised red flags, ultimately leading to his unmasking as a North Korean operative working under a fabricated identity.

The clip, shared by researcher @tanuki42_ on X, has since drawn significant attention from security professionals and hiring managers across the crypto and decentralized finance (DeFi) space sectors that have been disproportionately targeted by Pyongyang-linked hacking groups such as Lazarus Group and TraderTraitor.

The Test Turns Effective

North Korea’s IT worker scheme is not new. The U.S. Department of Justice and DPRK-focused threat intelligence teams have repeatedly warned that North Korea deploys thousands of IT workers abroad or remotely using stolen or fabricated identities to secure employment at technology companies.

Once inside, these operatives either generate revenue for the regime, exfiltrate proprietary data, or plant backdoors for future exploitation.

The crypto and DeFi industries have been prime targets due to their remote-first hiring cultures, pseudonymous norms, and the potential for direct access to digital assets. High-profile incidents, including the $1.4 billion Bybit hack attributed to Lazarus Group in early 2025, underscore just how damaging successful infiltration can be.

While unconventional, the interview technique exploits a well-understood psychological reality: North Korean operatives live under extreme ideological conditioning, and criticizing Kim Jong Un even fictitiously in a private setting poses a genuine internal barrier.

Several DeFi protocols and Web3 startups have already cited this method as a supplementary screening layer alongside standard identity verification, background checks, and document authentication.

Security researchers caution that this should not be a standalone control. Sophisticated actors may adapt over time. Robust defenses still include video-verified identity checks, government ID cross-referencing, IP and VPN detection, and behavioral monitoring post-hire.

Still, the Taro Aikuchi incident serves as a stark reminder that human behavioral signals, however low-tech, can cut through layers of digital deception in ways that automated tools sometimes cannot.

The video has been widely shared as both a cautionary tale and a darkly humorous addition to the modern threat intelligence playbook.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.