Analysts at CryptoQuant have detected North Korean hackers: which on-chain metrics interest them
The blockchain analytics platform CryptoQuant recorded an unusual visit: a user with an IP address belonging to North Korea (DPRK) visited the page for Bitcoin's MVRV Ratio metric. The incident was disclosed on social network X.
A screenshot from the Amplitude system shows the visit details: the page title "Bitcoin: MVRV Ratio", a referral from google.com, the operating system Mac OS X, and the country — North Korea. The post author suggested that such interest in market metrics could only be shown by those close to the country's top leadership, not ordinary citizens.
Why this is likely hackers, not ordinary users
Access to the global internet in the DPRK is a privilege for the few. The internet is mainly available to those connected to state, embassy, or military structures. Therefore, a visit from a North Korean IP address with high probability indicates a state agent, not a random user.
By itself, a single visit does not allow identifying the user and does not directly confirm a connection to state structures. Determining the country by IP address only indicates the network exit point, not a specific person. However, the context amplifies the significance of the observation.
Cryptocurrency as an economic resource for Pyongyang
The DPRK regularly appears in reports from blockchain analysts in connection with crypto hacker activity. According to a common theory among researchers, cyber operations bring funds to the isolated and sanctioned country that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang.
Several groups are associated with Pyongyang, the most famous of which is the Lazarus Group. They are attributed with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities themselves deny involvement in such attacks.
My expert opinion: The use of public on-chain metrics, such as MVRV Ratio, by North Korean hackers is not just curiosity. It indicates an attempt at professional market analysis to choose optimal moments for liquidating stolen assets. The growing interest in such data from North Korean state structures is an alarming signal, suggesting that hacker operations are becoming increasingly sophisticated and strategic, rather than just impulsive thefts.