Crypto news

20.06.2026
00:02

North Korean hackers exposed themselves: CryptoQuant recorded a visit from an IP address in North Korea.

The analytical platform CryptoQuant recorded a unique event: a visit from a user with an IP address belonging to North Korea. According to screenshots from the Amplitude system, the visitor was interested in the MVRV Ratio metric for Bitcoin, having navigated to the page via a Google search from a device running Mac OS X. This fact in itself is rare, given that internet access in the DPRK is a privilege of a narrow circle of individuals associated with state, military, or diplomatic structures.

Incident Details

The screenshot, published in a post on platform X, clearly shows the session parameters: country — North Korea, operating system — Mac OS X, and the target page — Bitcoin: MVRV Ratio. The post's author suggested that such a specific interest in market metrics is likely shown not by ordinary citizens, but probably by representatives of the top leadership or professional hackers working for the state. This is logical: access to the global network in the DPRK is strictly controlled, and a random user would hardly be able to access the open internet without approval from above.

MVRV Ratio (Market Value to Realized Value) is a key on-chain indicator that compares an asset's current market capitalization with its realized capitalization, i.e., the average purchase price of all coins. The metric is used to assess whether Bitcoin is overvalued or undervalued. Why would a North Korean agent need this particular indicator? Possibly to assess the global market cycle before planning large-scale operations for laundering or liquidating stolen funds.

Cryptocurrency as a Survival Tool for the DPRK

This incident fits into a long-term trend: North Korea systematically uses cryptocurrencies to circumvent international sanctions. According to researchers, the Lazarus Group and other Pyongyang-linked hacker groups are responsible for the largest thefts in the industry's history. In 2022, they siphoned over $600 million from the Ronin network (the Axie Infinity gaming ecosystem), and in 2018, they hacked the Coincheck exchange for $534 million. These funds directly finance the regime, which denies its involvement in cyberattacks.

The single visit from a DPRK IP address does not prove the user's identity, but it serves as a powerful signal. Pyongyang continues to actively monitor the digital asset market, using the most advanced tools for this purpose. It is evident that interest in on-chain analytics from North Korean structures will only grow — this is their "eyes" in a world where traditional financial flows are closed to them.

My expert opinion: This incident is not just a curiosity, but a clear demonstration of how deeply North Korean hackers are integrated into the blockchain ecosystem. They do not just steal; they analyze the market at a professional level. For investors, this means that any major volatility or abnormal market movements could be triggered by the actions of state actors who use cryptocurrency as a strategic asset. Keep an eye on on-chain metrics — they can reveal the actions of those who prefer to remain in the shadows.