North Korean hackers have exposed themselves: what tools do they use to analyze the crypto market
The analytical platform CryptoQuant recorded a unique case: a user visit from an IP address in North Korea. This incident sheds light on the analytical tools used by professional hackers from the DPRK to monitor the cryptocurrency market. The data was published in an official post by the service on platform X.
Visit Details: What Was the North Korean User Looking For?
According to a screenshot from the Amplitude analytics system, the visit parameters are as follows: page title — "Bitcoin: MVRV Ratio," the transition was made from google.com, the operating system — Mac OS X, and the country — North Korea. The post's author suggested that on-chain analytics is now being handled by individuals close to the country's top leadership. If this guess is correct, interest in market metrics is being shown at the highest level.
This assumption is not coincidental. In North Korea, access to the global network is closed to the vast majority of citizens. The internet remains a privilege for the select few—those connected to state, embassy, or military structures. Therefore, a visit from a North Korean IP address highly likely indicates a state agent.
Based on the screenshot, the user searched Google for data on the MVRV Ratio metric and landed on the relevant CryptoQuant page. A single visit in itself does not allow for identifying the user or directly confirming a connection to state structures. Determining the country by IP address only indicates the network exit point, not a specific individual.
MVRV Ratio: Why Do Hackers Need This Metric?
The MVRV Ratio (Market Value to Realized Value) compares an asset's market capitalization with its realized value and is used to assess whether Bitcoin is overvalued or undervalued relative to the average purchase price of coins. Why this metric was needed by a North Korean remains a mystery. However, the very fact of interest in such a specific indicator points to a deep understanding of market mechanisms.
Cryptocurrency and the DPRK: Context of the Threat
Attention to this post is heightened by the context. The DPRK regularly appears in blockchain analysts' reports regarding crypto hacker activity. According to a common theory among researchers, cyber operations bring funds to the closed and sanctioned country that are difficult to obtain through legal means. As a result, digital assets have become an important economic resource for Pyongyang.
Several groups are linked to Pyongyang, the most famous of which is the Lazarus Group. They are attributed with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities themselves deny involvement in such attacks.
Expert Opinion: This incident is a rare window into the world of North Korean cyber intelligence. The use of Mac OS X and interest in the MVRV Ratio metric indicate that hackers are not just stealing funds but also carefully analyzing the market to choose optimal moments for liquidating assets. This makes them even more dangerous players in the crypto market.