Analysts at CryptoQuant recorded a visit by a North Korean hacker: targets and tools
The analytical platform CryptoQuant recorded a unique event: a visit from a user with an IP address from North Korea. According to monitoring by the Amplitude system, the visitor was interested in the MVRV Ratio metric for Bitcoin. This case is notable not so much for the fact itself, but for the context — access to the global internet in the DPRK is strictly limited and is a privilege for a select few associated with state, military, or diplomatic structures.
Details of the visit, captured in screenshots, include a referral from google.com, the Mac OS X operating system, and the country — North Korea. The post's author suggested that such interest in market metrics is shown not by ordinary citizens, but by representatives of the top leadership or professional hackers. This assumption is based on the country's strict internet isolation, where only those connected to state structures have network access.
What is the MVRV Ratio and why is it important?
The MVRV Ratio (Market Value to Realized Value) is a key on-chain indicator that compares an asset's current market capitalization to its realized capitalization (the average purchase price of all coins). It is used to assess whether Bitcoin is overvalued or undervalued. Why exactly this metric was needed by a North Korean user remains a mystery, but the context suggests it may be related to planning large-scale market operations.
Cryptocurrency as an economic resource for the DPRK
North Korea has long been a focus of blockchain analysts due to the activity of crypto hacking groups. According to a common version, cyber operations bring Pyongyang funds that are difficult to obtain through legal means due to international sanctions. Digital assets have become an important economic resource for the regime. The most famous group linked to the DPRK is the Lazarus Group. It is blamed for the largest thefts in cryptocurrency history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for $534 million in 2018. North Korean authorities deny involvement in these attacks.
The single visit itself does not allow identifying the user or directly confirming a connection to state structures. Determining the country by IP address only indicates the network exit point, not a specific person. However, in the context of the overall activity of North Korean hackers, this case becomes another link in the chain of evidence that Pyongyang continues to use cryptocurrencies as a tool to bypass sanctions and finance its activities.
Expert opinion from Cryptalist: This visit is not just a coincidence. Interest in the MVRV Ratio from North Korean structures may indicate that they are beginning to use advanced on-chain metrics for market analysis. If previously their operations were mainly hacking attacks, now we may be witnessing a shift towards a more strategic approach, including trading and asset management. This could complicate the task for global regulators and analysts.