Crypto news

19.06.2026
22:44

North Korean hackers exposed themselves: what they were looking for on CryptoQuant

The analytical platform CryptoQuant has recorded a unique event: a visit from a user with an IP address belonging to North Korea. This is not just a statistical anomaly — it is a direct indication that North Korean state hackers are actively studying Bitcoin market metrics. This is not about a random passerby, but about a professional agent who has access to the global network under the country's strict internet isolation.

As shown in a screenshot from the Amplitude analytics system, the visitor reached the Bitcoin: MVRV Ratio metric page via a Google search. Their operating system is Mac OS X, and the country is North Korea. Given that internet access in North Korea is a privilege granted only to a select few (government officials, diplomats, and military personnel), this visit was highly likely made by a state agent, not an ordinary citizen.

The MVRV Ratio (Market Value to Realized Value) metric compares Bitcoin's current market capitalization with the average purchase price of all coins. It is used to assess whether an asset is overvalued or undervalued. Why would a North Korean hacker need this tool? The answer is obvious: to plan a strategy for withdrawing funds or to assess the timing for new attacks.

Context of the Cyber Threat

This event is not isolated. North Korea systematically appears in blockchain analytics reports as one of the main sources of crypto threats. Groups such as the Lazarus Group are linked to the largest thefts in history: the hack of the Ronin network (Axie Infinity) for over $600 million in 2022 and the attack on the Coincheck exchange with damages of about $534 million in 2018. Digital assets have become a key economic resource for isolated Pyongyang, which is difficult to obtain through legal means due to sanctions.

A single visit does not in itself prove the user's identity, but combined with the context of North Korean cyber activity, it becomes a powerful signal. Pyongyang continues to expand its capabilities in the crypto sphere, and interest in fundamental Bitcoin metrics is just the tip of the iceberg.

My professional opinion: This incident is a stark reminder that state hackers not only attack infrastructure but also actively analyze the market. Such signals cannot be ignored: they indicate preparations for large-scale operations. For investors, this means the need for heightened vigilance when working with DeFi protocols and centralized exchanges, especially during periods of high volatility.