Pyongyang is watching the market: North Korean hackers have surfaced on CryptoQuant
The analytical platform CryptoQuant recorded a unique event: a visit from a user with an IP address belonging to North Korea. This fact, unusual in itself, was documented and sparked a lively discussion in the professional community. It is not about simple curiosity, but a targeted interest in key market metrics.
According to data from the Amplitude system, the visit was made to the page with the Bitcoin: MVRV Ratio metric. The user came from google.com, was running Mac OS X, and their geolocation was identified as North Korea. Given the strict restrictions on internet access in North Korea, where the worldwide web is a privilege exclusively for the top leadership, military, and state structures, this visit almost certainly indicates a professional state agent, not an ordinary citizen.
By itself, a single visit does not allow identifying the user. Determining the country by IP address only indicates the network exit point, not a specific person. However, the context gives this event special significance. North Korea regularly appears in blockchain analytics reports in connection with the activities of hacker groups such as the Lazarus Group. They are attributed with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for about $534 million in 2018.
For Pyongyang, under strict sanctions, digital assets have become a critically important economic resource. Cyber operations bring funds that cannot be obtained through legal means. Therefore, the interest of North Korean hackers in the MVRV Ratio metric — an indicator showing whether Bitcoin is overvalued or undervalued — may indicate attempts to assess market conditions for planning their further operations.
Expert opinion from Cryptalist: This incident is not just a curiosity. It demonstrates that even the most closed and hostile states actively use public on-chain analytical tools for decision-making. For the market, this is a signal: we are dealing not with chaotic attacks, but with well-funded and analytically savvy adversaries who study macroeconomic indicators as thoroughly as they do code vulnerabilities.