Crypto news

20.06.2026
07:15

North Korean Hackers' Toolkit: CryptoQuant Records Suspicious Visit from a North Korean IP

The analytical platform CryptoQuant recorded a unique event: a visit from a user with an IP address from North Korea. This case, published on social network X, sheds light on the tools and data that North Korean hackers are interested in. This is not about an ordinary citizen, but, with a high degree of probability, about a professional agent who has access to the global network—a privilege unavailable to 99% of the country's population.

Visit Details: What Was the North Korean User Looking For?

According to a screenshot from the Amplitude analytics system, the visit was recorded with the following parameters: country—North Korea, operating system—Mac OS X, referral from google.com. The target page was the chart of the Bitcoin: MVRV Ratio metric (Market Value to Realized Value). This metric compares Bitcoin's market capitalization to its realized capitalization and is used to assess whether an asset is overvalued or undervalued relative to the average purchase price of coins.

By itself, a single visit does not allow identifying the user or directly confirming a connection to state structures. However, the context is crucial. In North Korea, internet access is a privilege of the elite: state, military, and diplomatic structures. That is why a visit from a North Korean IP address highly likely indicates a state agent, not a random citizen.

Cryptocurrency and North Korea: Context of the Threat

Attention to this case is heightened against the backdrop of regular reports from blockchain analysts linking North Korea to crypto hacker activity. According to a widely held version among researchers, cyber operations bring funds to the closed and sanctioned country that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang.

The most well-known group associated with North Korea is the Lazarus Group. They are attributed with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for about $534 million in 2018. The North Korean authorities themselves deny involvement in such attacks.

Analyst's Comment: The interest of North Korean agents in the MVRV Ratio metric is not just curiosity. It is a signal that Pyongyang is likely looking for entry points for large-scale market manipulations or assessing optimal moments to liquidate accumulated assets. The market should be prepared for state-backed hackers to increasingly use professional analytical tools to plan their operations.