Analytical toolkit of North Korean hackers: CryptoQuant recorded a visit from the DPRK
CryptoQuant, an analytical platform, recorded a direct visit from a user with an IP address belonging to North Korea. This event, published on social network X, sheds light on the tools and metrics that interest North Korean hackers, and more importantly, on the level at which cryptocurrency investment decisions are made in this closed country.
Visit Details: MVRV Ratio and Mac OS X
According to a screenshot from the Amplitude analytics system, the visit parameters are as follows: the user navigated to the page with the Bitcoin: MVRV Ratio metric from google.com, using the Mac OS X operating system. The country is North Korea. The post's author suggested that on-chain analytics is now being handled by individuals close to the country's top leadership. If this guess is correct, interest in market metrics is being shown at the highest level.
It is worth noting that internet access in North Korea is a privilege for the select few. The network is mainly available to those connected to state, embassy, or military structures. This is why a visit from a North Korean IP address highly likely indicates a state agent, rather than an ordinary citizen.
Context: Cryptocurrency as an Economic Resource
By itself, a single visit does not allow for identifying the user and does not directly confirm a connection to state structures. Determining the country by IP address only indicates the network exit point, not a specific person. However, the context heightens attention to this event. North Korea regularly appears in blockchain analysts' reports regarding crypto hacker activity.
According to a common theory among researchers, cyber operations bring funds to the closed and sanctioned country that are difficult to obtain through legal means. As a result, digital assets have become an important economic resource for Pyongyang. Several groups are associated with Pyongyang, the most famous of which is the Lazarus Group. They are attributed with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities themselves deny involvement in such attacks.
My expert commentary: Recording interest in the MVRV Ratio metric from North Korean territory is not just a curiosity, but a signal. It indicates that state hackers are moving from simply stealing assets to analyzing market cycles. They are beginning to act like professional traders, using fundamental on-chain data to choose the optimal moment to liquidate their loot. This makes them even more dangerous and difficult opponents to track.