Following North Korean hackers: CryptoQuant recorded a visit from an IP in the DPRK and revealed their analytical tools
The analytical platform CryptoQuant has recorded unusual activity: a visit from a user with an IP address belonging to North Korea. This incident sheds light on the tools and data that North Korean hackers, known for their activity in the cryptocurrency market, are interested in. A post on platform X (formerly Twitter) published details of this visit, which eloquently speak to the professional level of the users.
Visit Details: MVRV Ratio and Mac OS X
According to a screenshot from the Amplitude analytics system, the user navigated to the CryptoQuant page from a Google search, looking for data on the MVRV Ratio (Market Value to Realized Value) metric. The page title was "Bitcoin: MVRV Ratio," the operating system was Mac OS X, and the country was North Korea. The author of the observation suggested that on-chain analytics may now be used by individuals close to the country's top leadership. This assumption is not unfounded, given the strict internet isolation in North Korea.
Access to the global internet in North Korea is a privilege for the few. It is primarily held by individuals associated with state, embassy, or military structures. Therefore, a visit from a North Korean IP address highly likely indicates a state agent rather than an ordinary citizen. The user was searching for the MVRV Ratio — a metric that compares an asset's market capitalization to its realized capitalization and is used to assess whether Bitcoin is overvalued or undervalued relative to the average purchase price of coins. Why a North Korean would need this remains a mystery, but the context speaks for itself.
Cryptocurrency and North Korea: The Threat Context
The connection between North Korea and crypto hacking groups is nothing new. Pyongyang regularly appears in blockchain analytics reports due to the activity of groups such as the Lazarus Group. They are attributed with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. According to a common theory, cyber operations provide the isolated and sanctioned country with funds that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang.
Expert opinion: A single visit from a North Korean IP address does not allow for identifying the user and directly confirms only the network exit point, not a specific person. However, the very fact of interest in on-chain metrics, especially such a complex tool as the MVRV Ratio, from a representative of a country with strictly controlled internet access is a powerful signal. This indicates that North Korean hackers are not just stealing assets but are also actively studying market analytics to understand when and how to best liquidate them without crashing the market. The market should be prepared for the possibility that major moves from North Korea may not only be chaotic dumps but also calculated actions.