Crypto news

20.06.2026
02:47

North Korean hackers have made contact: CryptoQuant recorded a visit from an IP address in the DPRK.

The analytical platform CryptoQuant recorded an unusual visit: a user with an IP address from North Korea accessed the page with the MVRV Ratio metric. This incident, which the platform reported on social media, sheds light on the tools and analytical data that North Korean cybercriminals are interested in.

According to a screenshot from the Amplitude system, the visit was made from a Mac OS X operating system, and the page was accessed via Google. The very fact that the traffic originates from the DPRK is highly indicative. In North Korea, access to the global internet is a privilege available mainly to state, military, and diplomatic structures. An ordinary citizen cannot simply go online. Therefore, this visit most likely points to a state agent rather than a random user.

Key Metric: MVRV Ratio

The MVRV Ratio (Market Value to Realized Value) metric compares an asset's market capitalization with its realized capitalization. It is used to assess whether Bitcoin is overvalued or undervalued relative to the average purchase price of coins. Why would a North Korean hacker need this particular indicator? The answer may lie in monitoring market cycles. For the Lazarus Group and other North Korean hacker units that regularly withdraw and launder stolen funds, understanding market phases is critically important. The MVRV Ratio helps determine when assets can be sold for maximum profit or, conversely, when the market is at a bottom, which can influence the strategy for liquidating stolen funds.

Threat Context: DPRK and Cryptocurrencies

This incident is not an isolated one. The DPRK regularly appears in reports from blockchain analysts as one of the main players in the field of cybercrime. According to researchers, cyber operations provide the closed and sanctioned country with funds that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang.

The most well-known group linked to North Korea is the Lazarus Group. It is accused of the largest crypto thefts in history, including the theft of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities themselves, of course, deny any involvement in such attacks.

Expert Opinion. The use of advanced on-chain metrics such as the MVRV Ratio by North Korean hackers is an alarming signal. This indicates a high level of professionalism and strategic planning. They are not just stealing assets but are carefully analyzing the market for their optimal sale. The cryptocurrency market should prepare for state-sponsored cybercriminals to increasingly use sophisticated analytical tools to maximize their gains.