Analysts at CryptoQuant have recorded North Korean hackers studying on-chain metrics.
The world of cryptocurrency security has received an unexpected yet highly revealing observation. The analytical platform CryptoQuant detected a visit from a user with an IP address belonging to the DPRK. This fact, unique in itself, sheds light on which tools and data North Korean hackers are interested in at the highest level.
Visit Details: What Were They Looking For in Pyongyang?
According to screenshots from the Amplitude system, the visit was recorded on the Bitcoin metric page: MVRV Ratio. The user accessed the site via Google, operating on Mac OS X. The country of traffic origin is North Korea. The very fact that the request came from the DPRK, rather than any other jurisdiction, is a key signal. Under conditions of strict internet isolation, only a select few have access to the global network — government officials, military personnel, and, as investigations show, professional hacker groups.
The author of the observation suggested that this visit was not the work of ordinary citizens, but rather representatives of the top leadership or affiliated structures. A single visit, of course, does not allow for identifying the user, but it unequivocally points to a network exit point connected to the state apparatus.
MVRV Ratio: Why Do Hackers Need It?
The MVRV Ratio (Market Value to Realized Value) metric compares the current market capitalization of an asset with its realized capitalization. In simple terms, it shows how overvalued or undervalued Bitcoin is relative to the average purchase price of all coins. Why would North Korean hackers need this indicator? The answer lies in their core activities. A precise understanding of market cycle phases is critical for planning the liquidation of stolen funds. Knowing that the market is at a peak, they can choose the optimal moment to convert stolen BTC into fiat, minimizing losses from slippage. This is not mere curiosity — it is analytical intelligence for managing illegally obtained capital.
Cryptocurrency as an Economic Resource for the DPRK
This incident fits into the overall picture of North Korean hacker groups, such as the Lazarus Group. Pyongyang systematically uses cyberattacks to bypass international sanctions. Cryptocurrency theft has become one of the country's key sources of funding, bringing in billions of dollars. The $600 million Ronin (Axie Infinity) hack in 2022 and the $534 million attack on the Coincheck exchange in 2018 are just the tip of the iceberg.
My professional opinion: This case is not just a curiosity, but a wake-up call for the entire industry. It demonstrates that North Korean hackers have moved from brute force to sophisticated market analysis. They are no longer just stealing assets; they are studying fundamental metrics to manage stolen capital with the efficiency of a professional trader. This raises the bar of complexity for those trying to track and block their transactions. The market should expect more thoughtful and complex money laundering schemes in the future.