Crypto news

20.06.2026
06:58

The analytical tool CryptoQuant has exposed a North Korean hacker: what was Pyongyang looking for?

The analytics system of the CryptoQuant platform recorded a visit from a user with an IP address belonging to North Korea. This is not just an ordinary event, but a direct indication of which tools and metrics are of interest to North Korean state hackers.

According to data from a screenshot of the Amplitude system, the user navigated to the Bitcoin: MVRV Ratio metric page via a Google search. Their operating system is Mac OS X, and the country is North Korea. Given that access to the global internet in the DPRK is severely restricted and granted only to a select few—state and military structures—this visit is highly likely to belong to a professional agent, not an ordinary citizen.

Details of the Visit: What Were They Looking For?

The user purposefully searched for data on the MVRV Ratio (Market Value to Realized Value)—a key on-chain metric that compares Bitcoin's market capitalization to its realized capitalization. This indicator is used to assess whether an asset is overvalued or undervalued relative to the average purchase price of coins. By itself, a single visit does not allow for identification, but the context is extremely revealing. Why would a North Korean hacker need this metric? The answer lies in the strategy for managing cryptocurrency reserves.

Cryptocurrency and the DPRK: Context of the Threat

North Korea has long and systematically used cryptocurrencies as a tool to circumvent international sanctions. According to many researchers, cyberattacks provide Pyongyang with funds that cannot be obtained legally. The most well-known group is the Lazarus Group, which is attributed with the largest thefts in history: the theft of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for $534 million in 2018.

Interest in the MVRV Ratio may indicate that North Korean hackers are not just stealing assets but actively managing them, trying to determine optimal moments for profit-taking or entering positions. This elevates them from the category of "ordinary" hackers to that of professional market players, making the threat even more serious.

My professional opinion: The fact that North Korean hackers are monitoring fundamental on-chain metrics such as the MVRV Ratio indicates a high level of financial literacy and strategic planning. These are not just "vandals," but state structures that view the cryptocurrency market as a field for long-term operations. Ignoring this fact means underestimating the real scale of the threat to the entire ecosystem.