North Korean hackers exposed themselves: CryptoQuant analytical tool reveals their presence
Cyber warfare in the crypto market is taking on new dimensions. The analytical platform CryptoQuant recorded a visit from a user with an IP address belonging to North Korea, who was studying key on-chain metrics. This incident is not just a technical anomaly but a direct window into the operational methods of North Korean hacker groups.
Details of the Visit: What the North Korean User Was Looking For
According to data from the Amplitude system recorded by CryptoQuant, the visit was made from a Mac OS X operating system via a redirect from google.com. The target page was the chart for the MVRV Ratio (Market Value to Realized Value) metric for Bitcoin. The very fact that the traffic originates from North Korea—a country with one of the strictest internet censorships in the world—almost completely rules out the possibility that this was an ordinary citizen. Access to the global internet in North Korea is a privilege exclusively for state, military, and diplomatic structures.
That is precisely why each such visit is highly likely to indicate a state agent rather than a regular user. Although a single incident does not allow for personal identification, it clearly points to a network exit point belonging to the government apparatus.
Why Would Hackers Need the MVRV Ratio?
The MVRV Ratio metric compares an asset's market capitalization with its realized capitalization (the average purchase price of all coins). This indicator is traditionally used to assess whether the market is overheated or undervalued. The question that arises for me as an analyst is: why would North Korean hackers, who specialize in theft and money laundering, monitor this macroeconomic indicator? The answer lies on the surface—timing. To optimally convert stolen funds into fiat or other assets, it is necessary to understand the phase of the market cycle. Selling at a peak or during panic can significantly impact the profitability of operations.
Cryptocurrency as an Economic Resource for Pyongyang
This observation is reinforced by the context. North Korea has long been associated with the largest crypto heists in history. The Lazarus Group, which according to numerous investigations is linked to North Korea's Reconnaissance General Bureau, is behind the hack of the Ronin network (Axie Infinity) for over $600 million in 2022 and the Coincheck exchange for $534 million in 2018. For a country under strict sanctions, digital assets have become a critically important source of foreign currency revenue that cannot be obtained through legal means.
Expert comment: The use of professional analytical tools like CryptoQuant by North Korean hackers represents an evolution in their tactics. They are moving from a simple "hack-and-steal" approach to strategic asset management. The market should prepare for the actions of these groups to become increasingly synchronized with market cycles, which could amplify volatility during periods of large fund movements.