North Korean hackers exposed themselves by analyzing Bitcoin on-chain metrics.
The analytical platform CryptoQuant recorded a unique case: a visit from a user with an IP address belonging to North Korea (DPRK). This incident, reported in an official service post, sheds light on the analytical tools of interest to North Korean crypto hackers. This is not about random browsing by an ordinary citizen, but a targeted study of professional market data.
Visit Details: MVRV Ratio and macOS
According to a screenshot from the Amplitude system, the user navigated to the Bitcoin: MVRV Ratio metric page from a Google search query. The system recorded the operating system as Mac OS X and the country as North Korea. The observer suggested that this visit was made by individuals close to the country's top leadership. If this hypothesis is correct, interest in market metrics is being shown at the highest level.
The context here is critically important. In the DPRK, access to the global internet is severely restricted and is a privilege for a select few—state, diplomatic, or military structures. This is precisely why a visit from a North Korean IP with high probability points to a state agent, not an ordinary user. The user specifically searched for data on the MVRV Ratio metric, indicating a deep interest in assessing Bitcoin's market capitalization.
Cryptocurrency as an Economic Resource for Pyongyang
The single visit itself does not allow for identifying the user, but it fits perfectly into the overall picture. The DPRK regularly appears in blockchain analytics reports regarding crypto hacker activity. According to a common theory among researchers, cyber operations provide the closed and sanctioned country with funds that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang.
Several hacker groups are associated with the DPRK, the most famous being the Lazarus Group. They are credited with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities themselves deny involvement in such attacks, but the recorded interest in the MVRV Ratio metric is another indirect yet significant piece of evidence of their engagement in the crypto market.
Expert Opinion: The interest of North Korean hackers in fundamental on-chain metrics, such as the MVRV Ratio, is an alarming signal. This indicates they are moving from simple thefts to strategic market analysis. Their goal is not just to steal, but to effectively manage stolen assets, choosing optimal moments for liquidation. The market should prepare for more sophisticated actions from these state actors.