North Korean hackers exposed themselves by analyzing on-chain metrics: details of the visit to CryptoQuant
The analytical platform CryptoQuant recorded a unique case: a user with an IP address belonging to North Korea visited the page with Bitcoin's MVRV Ratio metric. This event, published on social network X, caused widespread resonance in the professional community. Given the strict restrictions on internet access in North Korea, this visit almost 100% indicates the actions of a state agent, rather than an ordinary citizen.
What did the visit analysis show?
According to a screenshot from the Amplitude analytics system, the visit was made from the Mac OS X operating system. The user navigated to the CryptoQuant page from a Google search by entering a query for the MVRV Ratio metric. The MVRV Ratio itself (market value to realized value) is used to assess whether Bitcoin is overvalued or undervalued relative to the average coin acquisition price.
The fact of a single visit does not allow identifying the user, but the geolocation by IP address points to a network exit point that is typically controlled by North Korean state, military, or diplomatic structures. These structures are traditionally associated with hacker groups such as the Lazarus Group.
Context: North Korea and cryptocurrencies
Pyongyang's interest in digital assets is not coincidental. Under strict international sanctions, cryptocurrencies have become one of the few ways to bypass financial isolation. According to numerous investigations, North Korean hackers are responsible for several of the largest thefts in industry history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for $534 million in 2018.
The fact that North Korean representatives are purposefully studying fundamental on-chain metrics such as the MVRV Ratio indicates a high level of their analytical training. They not only steal assets but also attempt to assess market cycles to choose the optimal time for liquidating stolen funds.
Expert comment: This incident is a stark reminder that North Korean state hackers do not operate blindly. Their interest in professional analytical tools shows that they seek to maximize profits from their illegal operations. For the market, this means that periods of high activity by the Lazarus Group may coincide with certain phases of the cycle when they consider the price "fair" for selling.