Crypto news

20.06.2026
01:49

Analytical tools of North Korean hackers: CryptoQuant recorded a visit from an IP address in the DPRK

The on-chain analytics platform CryptoQuant has detected an anomaly: a user visit from an IP address belonging to North Korea. This event sheds light on the methods of North Korean crypto hackers, who, it turns out, actively use professional analytical tools to monitor the market.

According to data from the Amplitude analytics system, captured in a screenshot, the visit was made from a Mac OS X operating system. The user navigated to the Bitcoin MVRV Ratio metric page via a Google search. This single activity alone does not allow for personal identification, but the context — an IP from North Korea — suggests this is likely not an ordinary citizen, but a professional hacker linked to state structures.

Why is this important?

Access to the global internet in North Korea is a privilege available only to a select few: employees of state, military, and diplomatic agencies. These very structures are known to oversee the activities of hacker groups such as the Lazarus Group. Therefore, a visit from a North Korean IP to a specialized market analysis platform is not a coincidence, but a direct indication that hackers are monitoring market metrics.

The MVRV Ratio (Market Value to Realized Value) metric is used to assess whether Bitcoin is overvalued or undervalued relative to the average purchase price of coins. Why would North Korean hackers need this information? The answer is obvious: they manage vast amounts of stolen funds and require precise data to make decisions about taking profits or holding positions.

Context: North Korea and cryptocurrencies

North Korea has long been associated with some of the largest crypto thefts in history. The Lazarus Group is attributed with attacks such as the $600 million+ Ronin network (Axie Infinity) hack in 2022 and the $534 million theft from the Coincheck exchange in 2018. For a closed and sanctioned country, digital assets have become a critically important economic resource, allowing it to bypass international restrictions.

My analysis: This incident is not just a curiosity, but a signal for the entire market. North Korean hackers are not merely stealing assets; they are professionally managing them, using the same tools as legitimate traders. This means their actions will become increasingly sophisticated, and the risks for exchanges and DeFi protocols will only grow. The market must adapt its security systems to new realities where the enemy not only hacks but also analyzes.