Internal workings of North Korean hackers: CryptoQuant recorded a visit from an IP in the DPRK
The analytical platform CryptoQuant has recorded unusual activity: a visit from a user whose IP address belongs to North Korea. This event, which the service reported in its account, sheds light on the tools and data that North Korean hackers are interested in and allows for important conclusions about the structure of their operations.
Details of the Visit: What Was the "User" from North Korea Looking For?
According to screenshots from the Amplitude analytics system that were published, the visit had very specific parameters. The user navigated to the page with the Bitcoin: MVRV Ratio metric via a Google search. Their operating system was Mac OS X, and the country was North Korea.
The post's author suggested that behind this visit were not ordinary citizens, but representatives of the country's top leadership, who are now personally interested in on-chain analytics. If this hypothesis is correct, it means that interest in market metrics is being shown at the highest level.
Why Are These Hackers, Not Ordinary Citizens?
Access to the global internet in North Korea is a privilege, not a right. The internet in the country is strictly controlled and is mainly available to those connected to state, military, or diplomatic structures. This is why a visit from a North Korean IP address with a high degree of probability points to a state agent, not a random user.
By itself, a single visit does not allow for identifying the user and does not confirm a direct connection to state structures. Determining the country by IP address only indicates the point of network exit, not a specific person.
MVRV Ratio: What Is It and Why Do Hackers Need It?
The MVRV Ratio (Market Value to Realized Value) is a key metric that compares an asset's market capitalization to its realized capitalization. It is used to assess how overvalued or undervalued Bitcoin is relative to the average purchase price of the coins.
Why this metric was needed by the North Korean user is unknown. However, the very fact of interest in on-chain analytics from representatives of North Korea speaks to their high level of training and understanding of the market.
Cryptocurrency and North Korea: The Threat Context
Attention to this post is heightened by the context. North Korea regularly appears in reports from blockchain analysts in connection with the activity of crypto hackers. According to a common version among researchers, cyber operations bring the closed and sanctioned country funds that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang.
A number of groups are associated with Pyongyang, the most famous of which is the Lazarus Group. They are credited with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities themselves deny involvement in such attacks.
Expert opinion from Cryptalist: Recording a visit from an IP in North Korea to an on-chain analytics platform is not just a curiosity. It is direct evidence that North Korean hackers are moving from simple monitoring to deep analysis of market metrics. This means their strategies are becoming more sophisticated and adaptive to market conditions. Ignoring this fact means underestimating the threat. The market should prepare for more complex and well-thought-out attacks from this group.