Crypto news

19.06.2026
22:28

Following North Korean hackers: CryptoQuant recorded a visit from a North Korean IP address

The analytical platform CryptoQuant recorded unusual activity: a visit to its resource by a user with an IP address belonging to North Korea (DPRK). The incident was recorded in the Amplitude analytics system and published on the social network X. This seemingly ordinary case takes on a completely different meaning in the context of the DPRK.

The screenshot of the visit reveals interesting details: the user navigated to the page with the Bitcoin: MVRV Ratio metric from the Google search engine, using the Mac OS X operating system. The country of origin is North Korea. The post author hypothesized that behind this visit are not ordinary citizens, but high-ranking individuals close to the country's leadership.

Why is this important?

Access to the worldwide web in North Korea is a privilege, not a right. The internet is available only to a select few: government officials, diplomatic workers, and military structures. Therefore, any visit from a DPRK IP address highly likely indicates a state agent. By itself, a single visit does not allow identifying the user and is not direct evidence of hacking activity. However, context is crucial.

The MVRV Ratio (Market Value to Realized Value) is a key on-chain metric that compares an asset's market capitalization to its realized capitalization. It is used to assess whether Bitcoin is overvalued or undervalued relative to the average purchase price of coins. Why would a North Korean agent need this information? The answer likely lies in Pyongyang's economic strategy.

Cryptocurrency as an economic resource for the DPRK

North Korea regularly appears in reports by blockchain analysts in connection with the activities of crypto hackers. According to a common version among researchers, cyber operations provide the closed and sanctioned country with funds that are difficult to obtain through legal means. Digital assets have become an important economic resource for the regime.

Several hacker groups are associated with Pyongyang, the most famous of which is the Lazarus Group. It is credited with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities themselves deny their involvement in such attacks.

My comment: The recording of a visit from a DPRK IP to an analytical resource is not a coincidence, but an indicator. Pyongyang is not just stealing cryptocurrency; it is trying to analyze it and possibly manage its reserves. Interest in the MVRV Ratio metric suggests that North Korean hackers and their leaders are striving for professional asset management, not just accumulation. This makes them an even more dangerous and complex player in the crypto market.