Crypto news

20.06.2026
05:59

CryptoQuant analytics detected North Korean hackers: what tools they use

The analytical platform CryptoQuant recorded an unusual visit: a user with an IP address from North Korea was studying data on the MVRV Ratio metric. This incident, which the service reported in its account, sheds light on the professional tools used by North Korean crypto hackers.

Visit Details: What the Analytics Showed

According to a screenshot from the Amplitude system, the visit was made from a Mac OS X operating system, the transition was made from google.com, and the target page was Bitcoin: MVRV Ratio. The country was North Korea. The post's author suggested that on-chain analytics are now being handled by individuals close to the country's top leadership. If this guess is correct, interest in market metrics is being shown at the highest level.

This assumption is not accidental. In North Korea, access to the global internet is closed to the vast majority of citizens. The internet remains a privilege for the select few—those connected to state, embassy, or military structures. This is why a visit from a North Korean IP address highly likely indicates a state agent.

Based on the screenshot, the user searched Google for data on the MVRV Ratio metric and landed on the relevant CryptoQuant page. By itself, a single visit does not allow for identifying the user or directly confirming a connection to state structures. Determining the country by IP address only indicates the network exit point, not a specific individual.

The MVRV Ratio (Market Value to Realized Value) compares an asset's market capitalization with its realized value and is used to assess whether Bitcoin is overvalued or undervalued relative to the average purchase price of coins. Why this metric was needed by a North Korean remains unknown.

Cryptocurrency and North Korea: Context

Attention to this post is heightened by the context. North Korea regularly appears in blockchain analysts' reports regarding crypto hacker activity. According to a common theory among researchers, cyber operations provide the closed and sanctioned country with funds that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang.

Several groups are linked to Pyongyang, the most famous of which is the Lazarus Group. They are attributed with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities themselves deny involvement in such attacks.

Expert Commentary: This incident is a stark reminder that North Korean hackers not only steal assets but also actively study fundamental market metrics. Their interest in the MVRV Ratio suggests they aim not just for short-term gains but also to understand long-term market cycles. For investors, this is a signal: monitoring the activity of such players is becoming increasingly important, as their actions can impact liquidity and price dynamics.