Analysts at CryptoQuant have recorded a visit from North Korean hackers: what are they actually interested in?
An extraordinary event has occurred in the world of cryptocurrency security. The blockchain analytics platform CryptoQuant recorded a visit to its resource by a user with an IP address belonging to North Korea (DPRK). This seemingly ordinary incident actually sheds light on which analytical tools are of interest to hacker groups from this closed country.
Details of the Visit: What Was the "Guest" Looking For?
According to data from the Amplitude analytics system, the session was recorded from the Mac OS X operating system. The user navigated to the page with the Bitcoin: MVRV Ratio metric via a Google search. This metric itself is a powerful tool for assessing whether Bitcoin is overvalued or undervalued in the market. It compares the current market capitalization with the realized capitalization (the average acquisition price of all coins).
The key point here is not the metric itself, but the traffic source. In North Korea, access to the global internet is a privilege, not a given. It is available only to a select few: high-ranking government officials, embassy staff, and, most importantly, professional hacker units. This is why a single visit from a North Korean IP address almost 100% indicates that behind the screen is not an ordinary citizen, but a state agent studying the market.
Why MVRV Ratio? Context Matters
The interest in on-chain analytics from the DPRK is no coincidence. North Korea has long been one of the main threat actors in the crypto industry. According to numerous investigations, cyber operations have become a key source of funding for the country, which is under strict sanctions. Illegally obtained digital assets are converted into fiat currency, which is difficult to obtain legally.
The most well-known group linked to Pyongyang is the Lazarus Group. It is attributed with the largest thefts in cryptocurrency history, including the hack of the Ronin network (Axie Infinity) for over $600 million in 2022 and the attack on the Coincheck exchange for $534 million in 2018. Understanding market metrics like the MVRV Ratio allows these groups to choose optimal moments to liquidate stolen funds, minimizing losses from volatility and avoiding a market crash.
Of course, a single visit does not allow identifying the user or confirming their connection to a specific attack. Determining the country by IP address only indicates the network exit point. However, the very fact that an analytical tool designed for professional market assessment has attracted attention from the DPRK is an important signal for the entire crypto community.
Expert Opinion: This incident is not just a curiosity, but direct evidence that North Korean hackers have moved from simple phishing attacks to deep market analysis. They are no longer acting blindly. The use of metrics like the MVRV Ratio indicates a high level of professionalism and strategic planning. For investors, this is another signal of the need to strengthen security measures and monitor suspicious transactions, especially at times when major players begin to show interest in fundamental indicators.