Analytical toolkit of North Korean hackers: CryptoQuant recorded a visit from a North Korean IP
The professional community has received a rare opportunity to look into the operational environment of North Korean cyber groups. The CryptoQuant platform recorded a visit from a user with an IP address belonging to the DPRK. The data was obtained through the Amplitude analytics system, allowing the details of this session to be reconstructed.
According to a screenshot from the publication, the user navigated to the Bitcoin: MVRV Ratio metric page via a Google search query. The system recorded the operating system as Mac OS X, and the country of origin as North Korea. This single visit does not in itself reveal the user's identity, but it does indicate an exit point to the network.
The context, however, lends particular significance to this event. In the DPRK, access to the global internet is a privilege available only to a narrow circle of individuals associated with state, military, or diplomatic structures. The likelihood that an ordinary citizen is behind this visit is virtually zero. With a high degree of confidence, it can be stated that we are observing the activity of a state agent.
MVRV Ratio and Pyongyang's Strategic Interest
The interest in the MVRV Ratio (Market Value to Realized Value) metric from a North Korean user is no coincidence. This indicator compares an asset's market capitalization to its realized value and is used to assess whether Bitcoin is overvalued or undervalued. Why hackers from the DPRK would need this tool is an open question. However, given the scale of their operations, it could be related to planning the liquidation of accumulated reserves or assessing market conditions for new attacks.
Global Context: The DPRK and Cryptocurrencies
North Korea regularly appears in reports from blockchain analysts. The most well-known group linked to Pyongyang is the Lazarus Group. It is attributed with the largest thefts in crypto industry history: the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for $534 million in 2018. Digital assets have become a critically important economic resource for the country, which is under strict sanctions.
Expert Opinion from Cryptalist: This incident is a clear demonstration of how analytical tools intended for legitimate traders can be used for intelligence purposes. Monitoring activity from DPRK IP addresses on specialized platforms is one of the few ways to obtain operational information about the actions of these groups. The single visit itself is not evidence of an attack, but it confirms that Pyongyang continues to monitor the market using the same tools as professional participants. This raises the stakes in the game of tracking their activity.