Crypto news

19.06.2026
20:14

North Korean Hackers: CryptoQuant Analytical Tools in the Hands of North Korean Cybercriminals

The analytical platform CryptoQuant recorded an unusual visit: a user with an IP address belonging to North Korea accessed data on the Bitcoin MVRV Ratio metric. This event, in itself, is a powerful signal indicating that North Korean hackers are actively using professional on-chain analytics tools to plan their operations.

Visit Details: What Did the Screenshot Show?

According to a screenshot from the Amplitude system, the user navigated to the Bitcoin: MVRV Ratio page from a Google search query, using the Mac OS X operating system. The country of origin is North Korea. Given the strict restrictions on internet access in the DPRK, this fact virtually rules out the possibility of it being an ordinary random citizen. More likely, this visit was made by a state agent associated with intelligence or military structures.

The single visit itself does not allow for identifying the user, but it clearly indicates a network exit point. Considering that access to the global internet in the DPRK is a privilege for a select few—government officials, diplomats, and military personnel—the probability that this is a hacker from the Lazarus Group or a similar structure is extremely high.

Why Do Hackers Need the MVRV Ratio?

The MVRV Ratio (Market Value to Realized Value) metric compares Bitcoin's market capitalization with its realized capitalization (the average purchase price of all coins). It is used to assess whether an asset is overvalued or undervalued. For hackers managing multi-billion dollar cryptocurrency portfolios, understanding this indicator is critically important for choosing the optimal time to liquidate assets or, conversely, to accumulate positions before new attacks. The interest in this metric from North Korean hackers is direct evidence of their professionalism and systematic approach to managing stolen funds.

Context: The DPRK and Cryptocurrencies

North Korea has long been firmly associated with the largest cryptocurrency thefts. The Lazarus Group, according to many experts, is responsible for high-profile hacks such as the theft of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. For a country under strict sanctions, cryptocurrency has become a key source of funding, allowing it to bypass international financial restrictions.

Expert Opinion: This incident is not just a curiosity. It underscores that North Korean hackers are not only technically skilled but also possess deep knowledge of market mechanisms. They have moved from simple thefts to strategic asset management, using the same tools as professional traders. For the industry, this is an alarming signal: the adversary is becoming increasingly sophisticated and adaptive.