Following North Korean hackers: CryptoQuant recorded a visit from an IP address in the DPRK
The analytical platform CryptoQuant has recorded unusual activity: a visit from a user whose IP address belongs to North Korea. This case sheds light on the tools and metrics that interest hackers from the DPRK. The incident was published in a post on platform X, and as an analyst, I see much more in this than just a random click.
The screenshot from the Amplitude system shows the details of the visit: the user navigated to the Bitcoin: MVRV Ratio metric page from Google, using the Mac OS X operating system. The country is North Korea. The post's author suggested that this visit was not the work of ordinary citizens, but of individuals close to the country's top leadership. This is not just a guess—it is a logical conclusion based on the specifics of the internet in the DPRK.
Why is this not a random user?
Access to the global internet in North Korea is a privilege mainly available to state, military, and diplomatic structures. Ordinary citizens have virtually no access to the global internet. Therefore, a visit from a North Korean IP address with high probability indicates a state agent, not an ordinary user interested in cryptocurrencies.
By itself, a single visit does not allow for identification, but the context is extremely revealing. The user was searching for data on the MVRV Ratio metric (Market Value to Realized Value), which compares Bitcoin's market capitalization to its realized value. This indicator is used to assess whether an asset is overvalued or undervalued. Why would a North Korean hacker need this metric? Possibly to assess the current market phase before planning the liquidation of stolen funds or to analyze global trends.
Cryptocurrency as an economic resource for the DPRK
This case is not isolated. The DPRK regularly appears in blockchain analysts' reports regarding crypto hacker activity. According to a common version, cyber operations bring funds to the closed and sanctioned country that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang.
Several groups are associated with the DPRK, the most famous of which is the Lazarus Group. They are attributed with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities themselves deny their involvement, but on-chain analytics data suggests otherwise.
My expert opinion: The recording of a visit from a DPRK IP address to the CryptoQuant platform is not just an anomaly, but a signal for the entire market. North Korean hackers are actively studying market metrics to optimize their strategies. This means we should expect more sophisticated attacks and money laundering schemes. The market must be prepared for state structures with unlimited resources to penetrate the crypto ecosystem ever deeper.