Analysts at CryptoQuant have detected North Korean hackers: what tools they are using
The world of cryptocurrency security has received further confirmation that interest in blockchain analytics is growing at the highest — and most secretive — levels. The CryptoQuant platform recorded a unique visit from a user with an IP address from North Korea (DPRK). This is not just an ordinary event, but an important signal shedding light on exactly which analytical tools North Korean hackers are using.
Details of the visit, made public through the Amplitude analytics system, paint a picture. The user navigated to the page for the Bitcoin: MVRV Ratio metric via a Google search, using the Mac OS X operating system. The country of origin of the traffic — North Korea — is itself a key indicator. In the DPRK, access to the global network is a privilege available only to a select few: government officials, diplomats, and, of course, professional state-sponsored hackers.
Why this is not a random user
The internet in North Korea is tightly controlled. For the vast majority of citizens, the internet is closed off. Therefore, a visit from a local IP address almost 100% indicates a state agent. The user purposefully searched for data on the MVRV Ratio (Market Value to Realized Value) metric — one of the key indicators for assessing whether Bitcoin is overvalued or undervalued. The fact that a North Korean hacker is interested in this particular metric speaks to a high level of understanding of market mechanisms and, likely, attempts to assess the current phase of the cycle to plan their operations.
Although a single visit does not allow for identifying the user, it clearly points to a network exit point. The context, however, amplifies the significance of the finding: the DPRK regularly appears in blockchain analytics reports in connection with the activities of hacker groups, such as the infamous Lazarus Group.
Cryptocurrency as an economic resource for Pyongyang
It is important to understand that for North Korea, which is under strict international sanctions, cryptocurrencies have become a critical economic resource. Cyber operations are not just a hobby, but a state program to bypass sanctions and obtain funds. The Lazarus Group is linked to the largest thefts in the industry's history: the theft of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for $534 million in 2018. Pyongyang itself, of course, denies involvement in these attacks.
My expert opinion: This incident is not just a curiosity, but direct proof that North Korean hackers not only actively monitor the market but also use professional analytical platforms to make decisions. This raises the threat level: we are dealing not with vandals, but with well-trained financial analysts who study market cycles as thoroughly as they study vulnerabilities in code. The crypto community should be prepared for the next hack to be even more calculated and timely from a market conditions perspective.