Crypto news

20.06.2026
05:43

Analytical toolkit of North Korean hackers: CryptoQuant recorded a direct visit from an IP address in the DPRK

The professional community has received rare confirmation of exactly which analytical tools hacker groups affiliated with North Korea use. The on-chain analytics platform CryptoQuant recorded a direct visit from a user with an IP address belonging to North Korea. This event is not just a technical curiosity, but an important signal shedding light on the operational methods of state-sponsored cyber groups.

Incident Details: What the Screenshot Revealed

According to data from the Amplitude analytics system, the visit was recorded on a page featuring the Bitcoin metric: MVRV Ratio. The user accessed the site via a Google search, using the Mac OS X operating system. The very fact of accessing the internet from North Korean territory is an exceptional phenomenon. The country's internal network is tightly isolated, and only a select few have access to the global network: employees of state institutions, military personnel, and diplomatic representatives.

It is this context that allows for a high degree of confidence in assuming that the visit was not made by an ordinary citizen, but by a professional agent, likely connected to hacker units. The interest in the MVRV Ratio metric (market value to realized value) indicates a deep understanding of market cycles and an attempt to assess the degree of overvaluation or undervaluation of Bitcoin. Why do North Korean hackers need this information? The answer is obvious: to plan the timing and volume of liquidating stolen assets.

Cryptocurrency as a Strategic Resource for North Korea

This incident fits into a long-known picture. North Korea views digital assets not merely as a means for speculation, but as a critically important economic resource. Under conditions of harsh international sanctions and economic isolation, cryptocurrencies have become Pyongyang's primary channel for obtaining foreign currency revenue, bypassing traditional financial systems.

The most well-known group associated with North Korea is the Lazarus Group. It is credited with the largest thefts in the industry's history: the withdrawal of over $600 million from the Ronin network (Axie Infinity) and the hack of the Coincheck exchange for approximately $534 million. The North Korean authorities, of course, deny their involvement, but analytical data and transaction chains relentlessly point to a state connection.

My expert opinion: The recording of a visit from a North Korean IP to an on-chain analytics resource is not a coincidence, but confirmation that North Korean hackers have moved to a new level of professionalism. They not only hack protocols but also meticulously study market microstructure to maximize profits from their operations. This makes them not just technical hackers, but full-fledged market players whose actions must be taken into account when analyzing liquidity.