Crypto news

19.06.2026
20:43

CryptoQuant has recorded a visit from a North Korean hacker: analytical tools of the Lazarus Group revealed.

Analytics platform CryptoQuant has recorded a unique case: a user with an IP address from North Korea visited the Bitcoin MVRV Ratio metric page. This event, published on social network X, sheds light on the tools used by the notorious hacker group Lazarus Group and other entities from North Korea.

Visit Details: From Google to On-Chain Analytics

According to a screenshot from the Amplitude system, the user navigated to the Bitcoin: MVRV Ratio page from the Google search engine. The operating system is Mac OS X, and the country is North Korea. The visit itself does not identify the individual, but the context is extremely important.

In North Korea, access to the global internet is severely restricted and is a privilege for a select few—mainly state, diplomatic, and military structures. Therefore, a visit from an IP address in this country highly likely indicates a state agent rather than an ordinary citizen.

Why MVRV Ratio?

The MVRV Ratio (Market Value to Realized Value) metric compares an asset's market capitalization to its realized capitalization. It is used to assess whether Bitcoin is overvalued or undervalued relative to the average purchase price of coins. Why would a North Korean hacker need this metric? The answer may be related to planning large trading operations or assessing market liquidity before large-scale attacks.

Context: Cryptocurrency as an Economic Resource for Pyongyang

North Korea regularly appears in blockchain analytics reports due to crypto hacker activity. According to a common version, cyber operations provide the closed and sanctioned country with funds that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang.

The most well-known group linked to North Korea is the Lazarus Group. They are attributed with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. North Korean authorities deny involvement in such attacks.

Expert Opinion: This single visit is not just a statistical anomaly. It demonstrates that North Korean hackers are actively studying fundamental market metrics, not just technical vulnerabilities. This indicates a high level of preparation and a strategic approach to planning attacks. The market should consider that the adversary not only steals assets but also analyzes their market value in real time.