Crypto news

20.06.2026
05:28

North Korean crypto hackers exposed: analytical toolkit revealed

Analytical platform CryptoQuant has recorded a unique event: a visit from a user with an IP address belonging to North Korea (DPRK). This incident, which the service reported on its X account, sheds light on the specific analytical tools that hackers from this closed country are interested in.

The single visit itself does not allow for identifying the user. However, the context and details of this visit deserve close attention. A screenshot from the Amplitude analytics system shows key parameters: the page title "Bitcoin: MVRV Ratio," a referral from google.com, the Mac OS X operating system, and the country — North Korea.

Understanding the internal specifics of the internet in the DPRK explains why this visit likely involves professional hackers rather than an ordinary citizen. Access to the global network in the country is a privilege for a select few — mainly those connected to state, embassy, or military structures. Therefore, a visit from a North Korean IP address highly likely indicates a state agent.

Details of the Visit: What Was the North Korean User Looking For?

According to the screenshot, the user searched Google for data on the MVRV Ratio (Market Value to Realized Value) metric and navigated to the relevant CryptoQuant page. This metric compares an asset's market capitalization to its realized value and is used to assess whether Bitcoin is overvalued or undervalued relative to the average coin acquisition price. Why exactly this metric was needed by a North Korean agent remains a mystery, but the very fact of interest in fundamental on-chain indicators speaks volumes.

The author of the CryptoQuant post speculated that on-chain analytics is now being handled by those close to the country's top leadership. If this guess is correct, interest in market metrics is emerging at the highest level.

Cryptocurrency and the DPRK: Context of the Threat

Attention to this post is heightened by the broader context. The DPRK regularly appears in blockchain analytics reports related to crypto hacker activity. According to a common theory among researchers, cyber operations provide the closed and sanctioned country with funds that are difficult to obtain through legal means. As a result, digital assets have become an important economic resource for Pyongyang.

Several groups are linked to Pyongyang, the most famous of which is the Lazarus Group. They are attributed with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities themselves deny involvement in such attacks.

My comment as an analyst: This incident is not just a curiosity but a signal of the growing systematic nature of the North Korean threat. The fact that DPRK hackers are studying advanced on-chain metrics like the MVRV Ratio indicates they are moving from simple attacks to strategic planning based on market analysis. This makes them even more dangerous and unpredictable players for the entire crypto industry.