North Korean hackers have been spotted in CryptoQuant: what were they looking for?
Analytical platform CryptoQuant recorded an unusual visit: a user with an IP address belonging to North Korea accessed the page with the Bitcoin MVRV Ratio metric. This event drew the attention of experts, as access to the global network in North Korea is strictly limited and is a privilege of the chosen few—primarily state and military structures.
Details of the Anomalous Visit
According to data from the Amplitude analytics system, the visit was made from a Mac OS X operating system via a redirect from google.com. The target page turned out to be the Bitcoin: MVRV Ratio chart. By itself, a single visit does not allow identifying the user's identity, but the geolocation by IP indicates an exit point to the network within North Korea.
Given that the internet in the country is a tool for a narrow circle of individuals associated with the government, diplomatic missions, or the military, there is a high probability that behind this request is a professional hacker or analyst working for state structures. Interest in market metrics at this level is not a coincidence but part of a larger strategy.
Why Is This Important?
North Korea has long been a key player in the world of crypto crime. According to researchers, cyber operations provide Pyongyang with funds that cannot be obtained legally due to international sanctions. Groups such as the Lazarus Group are attributed with the largest thefts in the industry's history: the Ronin Network hack for $600 million in 2022 and the attack on the Coincheck exchange for $534 million in 2018.
The fact that North Korean users are studying fundamental on-chain metrics such as the MVRV Ratio indicates a systematic approach. They are not just stealing assets—they are analyzing the market to choose optimal moments for liquidating stolen goods or planning new attacks. This transforms them from simple hackers into full-fledged market participants with state support.
My expert opinion: The recording of such a visit is a red flag for the entire industry. If North Korean hackers have begun actively monitoring complex on-chain indicators, it means their operations are becoming more thoughtful and less predictable. The market should prepare for new, more sophisticated attacks, where the goal will be not only instant fund withdrawal but also long-term liquidity manipulation.