Analytical toolkit of North Korean hackers: CryptoQuant recorded a visit from an IP address in the DPRK
The on-chain analytics platform CryptoQuant recorded an anomalous visit from a user with an IP address belonging to North Korea (DPRK). A post on platform X published screenshots of the Amplitude system, revealing session details: the user navigated from google.com to the Bitcoin metric page: MVRV Ratio, using the Mac OS X operating system. This incident, seemingly isolated, actually uncovers an important layer of activity by North Korean cyber groups.
Why is this not an ordinary user?
The key point here is context. Access to the global internet in the DPRK is a privilege available only to a limited circle of individuals connected to state, military, or diplomatic structures. An ordinary North Korean citizen does not have the ability to access the global network. Therefore, a visit from a local IP address to a specialized crypto analytics resource highly likely indicates a state agent, rather than a curious student. Interest in the MVRV Ratio metric, which is used to assess whether Bitcoin is overvalued or undervalued relative to the average coin acquisition price, indicates a deep understanding of market cycles.
Tools and Objectives
Although a single visit does not allow identifying the user or directly confirming a link to specific hacker groups, it confirms the systematic interest of North Korean elites in the crypto market. The DPRK regularly appears in reports by blockchain analysts in connection with the activities of groups such as the Lazarus Group. They are attributed with the largest thefts in cryptocurrency history: the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for $534 million in 2018.
My expert opinion: This incident is not just a curiosity but a marker of the evolution of North Korean cyber operations. They are transitioning from crude hacks to systematic market monitoring. The use of professional analytical tools, such as CryptoQuant, indicates that Pyongyang seeks not only to steal assets but also to manage them effectively, choosing optimal moments to liquidate positions. This raises the stakes for the entire DeFi and CeFi security industry.