Crypto news

20.06.2026
04:38

Following North Korean hackers: CryptoQuant recorded a visit from an IP in the DPRK

The analytical platform CryptoQuant recorded an anomaly: a visit from a user with an IP address belonging to North Korea. The incident was documented through the Amplitude system, and a screenshot published online displays the parameters of this visit. It involves viewing a page with the MVRV Ratio metric for Bitcoin, a referral from Google, the Mac OS X operating system, and, most notably, the country — North Korea.

The single visit itself does not reveal the user's identity. However, context is crucial. In North Korea, access to the global internet is a privilege held only by a select few: government officials, diplomats, and the military. It is this circumstance that has sparked the assumption that professional hackers, rather than an ordinary citizen, are behind the monitoring of on-chain analytics. The post's author hypothesized that on-chain analytics may now have attracted interest at the highest levels of the country's leadership.

Visit Details and the MVRV Ratio Metric

According to the screenshot, the page title is "Bitcoin: MVRV Ratio." This indicator compares the asset's market capitalization to its realized capitalization (the average purchase price of all coins). It is used to assess whether Bitcoin is overvalued or undervalued. Why a North Korean user would need this particular metric remains an open question. However, given that North Korea regularly appears in blockchain analytics reports as a hub of crypto attacks, interest in Bitcoin's market cycles becomes quite understandable.

The logic is simple: if a country actively uses cryptocurrency as an economic resource, it needs to understand when to enter a position and when to lock in profits. The MVRV Ratio is one of the key tools for making such decisions.

Cryptocurrency and North Korea: The Threat Context

Pyongyang's connection to cryptocurrencies has long been no secret. Groups such as the Lazarus Group are attributed with the largest thefts in the industry's history: from the $600 million Ronin (Axie Infinity) hack in 2022 to the $534 million attack on the Coincheck exchange in 2018. These operations provide the closed regime with funds that cannot be obtained through legal means due to strict sanctions.

The single visit from a North Korean IP address is not direct evidence of an attack. It merely indicates a point of network access, not a specific individual. However, combined with the history of North Korean hackers, this incident carries particular weight. It demonstrates that adversaries are studying the same tools as legitimate analysts and are likely using them to plan their operations.

Expert opinion: This case is a stark reminder that on-chain analytics is becoming a battlefield. State-sponsored hackers are not just stealing funds — they are studying the market as thoroughly as institutional investors. Ignoring this fact when building a security strategy is no longer an option.