North Korean hackers exposed themselves: CryptoQuant recorded a visit from an IP in North Korea.
The on-chain analytics platform CryptoQuant has recorded a rare event: a visit from a user with an IP address belonging to North Korea. This incident sheds light on which tools and metrics are of interest to North Korean hackers and confirms their deep involvement in cryptocurrency analytics.
In a post on X (formerly Twitter), CryptoQuant analysts shared a screenshot from the Amplitude system showing the details of the visit. The user accessed the page with the Bitcoin metric: MVRV Ratio, having come from google.com. Their operating system is Mac OS X, and the country is North Korea. The post author suggested that this visit was not by ordinary citizens, but by individuals close to the country's top leadership.
Why is this not a random visit?
Context is crucial. In North Korea, access to the global internet is a privilege for the few. The network is mainly available to those connected to state, diplomatic, or military structures. Therefore, a visit from a North Korean IP address highly likely indicates a state agent—a professional hacker or analyst working for the authorities.
A single visit does not allow identifying the user or directly confirming their connection to state structures. Determining the country by IP address only indicates the network exit point, not a specific person. However, in this case, the context strengthens the suspicions.
What is the MVRV Ratio and why do hackers need it?
The MVRV Ratio (Market Value to Realized Value) compares an asset's market capitalization to its realized capitalization and is used to assess whether Bitcoin is overvalued or undervalued relative to the average purchase price of coins. Why this metric was needed by a North Korean is unknown. However, it can be assumed that hackers are analyzing market sentiment and potential entry points for their operations related to laundering or converting stolen funds.
Cryptocurrency and North Korea: A systemic threat
Attention to this post is heightened against the backdrop of regular reports from blockchain analysts linking North Korean hacker activity to the largest crypto thefts in history. According to a common theory among researchers, cyber operations provide the closed and sanctioned country with funds that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang.
Several groups are associated with Pyongyang, the most famous of which is the Lazarus Group. They are credited with stealing over $600 million from the Ronin network (Axie Infinity) in 2022 and hacking the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities themselves deny involvement in such attacks.
Expert opinion from Cryptalist: This incident is not just a curiosity, but a signal for the entire industry. It confirms that North Korean hackers are not only stealing assets but also actively studying market analytics to optimize their operations. This makes them even more dangerous and requires blockchain projects to strengthen security measures and monitor suspicious activity.