Analysts at CryptoQuant have detected a North Korean hacker: what tools he used
Specialists from the CryptoQuant platform recorded a unique case — a visit from a user with an IP address belonging to North Korea. The data was published on social network X. This incident sheds light on the analytical tools used by North Korean hackers and why their activity in the crypto space attracts particular attention.
Visit Details: What the Screenshot Showed
According to a screenshot from the Amplitude analytics system, the visit was recorded with the following parameters: landing page — Bitcoin: MVRV Ratio, referral from google.com, operating system — Mac OS X, and country — North Korea. The post's author suggested that on-chain analytics is now being handled by individuals close to the country's top leadership. If this hypothesis is correct, interest in market metrics is emerging at the highest level.
The assumption about hackers did not arise by chance. In North Korea, access to the global internet is closed to the vast majority of citizens. The internet remains a privilege for the select few — those connected to state, embassy, or military structures. This is why a visit from a North Korean IP address most likely indicates a state agent.
Based on the screenshot, the user searched Google for data on the MVRV Ratio metric and landed on a relevant CryptoQuant page. By itself, a single visit does not allow for identifying the user or directly confirming a connection to state structures. Determining the country by IP address only indicates the network exit point, not a specific individual.
MVRV Ratio: What Is This Metric and Why Do Hackers Need It
The MVRV Ratio (Market Value to Realized Value) compares an asset's market capitalization to its realized value and is used to assess whether Bitcoin is overvalued or undervalued relative to the average purchase price of coins. Why this metric was needed by a North Korean remains a mystery. However, given that North Korea regularly appears in blockchain analytics reports related to crypto hacker activity, it can be assumed that interest in market indicators is not coincidental.
Cryptocurrency and North Korea: Context of the Threat
Several groups are linked to Pyongyang, the most famous of which is the Lazarus Group. They are attributed with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. According to a common theory among researchers, cyber operations provide the closed and sanctioned country with funds that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang. The North Korean authorities themselves deny involvement in such attacks.
Expert opinion: By itself, a single visit is no more than circumstantial evidence. However, in the context of the systemic threat from North Korean hackers, who use cryptocurrencies to bypass sanctions, this incident confirms that their interest in the market is not limited to stealing funds. They are actively studying fundamental metrics, which indicates a high level of professionalism and long-term planning.