Crypto news

20.06.2026
04:54

North Korean hackers have been "spotted" in CryptoQuant: their analytical tools have been revealed.

Professional hacker groups operating under the auspices of North Korea continue to actively study the digital asset market. During monitoring by the analytical platform CryptoQuant, a unique case was recorded: a user with an IP address from North Korea accessed data on the MVRV Ratio metric. This event sheds light on the tools used by state-sponsored cybercriminals to assess market conditions.

Visit Details: What Were They Looking For in North Korea?

According to data from the Amplitude system, the visit was made from a Mac OS X operating system. The user navigated to the Bitcoin: MVRV Ratio page via a Google search. The MVRV Ratio metric itself (market value to realized value ratio) is a key indicator for determining whether Bitcoin is overvalued or undervalued. The fact that the request came from a country with severely restricted internet access indicates a high level of user clearance.

In North Korea, access to the global internet is a privilege available only to government officials, military personnel, and diplomatic structures. Therefore, this visit was highly likely made not by an ordinary citizen, but by a professional agent associated with government cyber units.

Threat Context: Why Is This Important?

This observation confirms a long-standing hypothesis: North Korean hackers not only steal assets but also conduct fundamental market analysis. They study macroeconomic indicators to choose optimal moments for liquidating stolen funds. Understanding metrics like the MVRV Ratio allows them to assess cycle phases and minimize losses when converting stolen funds into fiat currency.

It is worth recalling that North Korea is linked to the largest cryptocurrency thefts in history, including the hack of the Ronin network (Axie Infinity) for $600 million and the attack on the Coincheck exchange for $534 million. According to investigations, the Lazarus Group is Pyongyang's primary tool for circumventing international sanctions.

Expert opinion: A single visit in itself does not prove direct involvement in attacks, but it clearly demonstrates the evolution of North Korean cybercriminals' approaches. They are transitioning from brute force to intelligent market analysis. This means the security industry must prepare for more sophisticated money laundering schemes based on knowledge of market cycles.