Following North Korean hackers: CryptoQuant recorded a visit from a North Korean IP address
The analytical platform CryptoQuant has recorded unusual activity: a visit from a user with an IP address belonging to North Korea. This event, published on social network X, has drawn the attention of experts, as internet access in the DPRK is a privilege of a narrow circle of people, primarily those associated with state and military structures.
According to a screenshot from the Amplitude analytics system, the visit parameters are as follows: the user navigated to the page with the Bitcoin: MVRV Ratio metric via a Google search, using the Mac OS X operating system. Location — North Korea. The post author suggested that on-chain analytics is now being handled by individuals close to the country's top leadership. If this hypothesis is correct, interest in market metrics is being shown at the highest level.
The assumption about hackers did not arise by chance. Access to the global internet in the DPRK is closed to the vast majority of citizens. The internet remains a privilege for the chosen few — those connected to state, embassy, or military structures. This is precisely why a visit from a North Korean IP address highly likely points to a state agent.
Based on the screenshot, the user searched Google for data on the MVRV Ratio metric and landed on the relevant CryptoQuant page. A single visit in itself does not allow for identifying the user. It also does not directly confirm a connection to state structures. Determining the country by IP address only indicates the network exit point, not a specific individual.
Cryptocurrency and the DPRK
The context heightens attention to this post. The DPRK regularly appears in blockchain analytics reports in connection with crypto hacker activity. According to a common version among researchers, cyber operations provide the closed and sanctioned country with funds that are difficult to obtain through legal means. As a result, digital assets have become an important economic resource for Pyongyang.
Several groups are linked to Pyongyang, the most famous of which is the Lazarus Group. They are attributed with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities themselves deny involvement in such attacks.
My analysis: This incident is another reminder of how deeply the state structures of the DPRK are integrated into the crypto ecosystem. Interest in the MVRV Ratio metric may indicate an attempt to assess the market phase for planning further operations. The market must consider that behind each such visit may stand not just an analyst, but an entire state machine aimed at extracting profit.