North Korean hackers exposed themselves by studying Bitcoin on-chain metrics
The analytical platform CryptoQuant has recorded a unique event: a visit from a user with an IP address belonging to North Korea. This case sheds light on the tools and data that North Korean cyber specialists working in the crypto sphere are interested in.
A screenshot from the Amplitude system, published on social network X, shows the visit parameters: the user navigated to the page with the Bitcoin: MVRV Ratio metric via a Google search, using the Mac OS X operating system. Most notably, the country of origin for the traffic is listed as North Korea.
The author of the post hypothesized that behind this visit are not ordinary citizens, but representatives of the country's top leadership or professional hackers. This assumption has serious grounds. In North Korea, access to the global network is a privilege for a select few—mainly those connected to state, military, or diplomatic structures. An ordinary North Korean simply does not have the technical capability to access the internet.
By itself, a single visit does not allow for identifying the user's identity or directly confirming their connection to state structures. Determining the country by IP address only indicates the network exit point. However, the context and specifics of the internet in the country make this visit extremely telling.
Why do North Koreans need the MVRV Ratio?
The MVRV Ratio (Market Value to Realized Value) is a fundamental on-chain metric that compares an asset's market capitalization to its realized capitalization. It is used to assess whether Bitcoin is overvalued or undervalued relative to the average purchase price of all coins. Why exactly this metric was needed by a North Korean user remains a mystery. However, the very fact of interest in market indicators at the highest level speaks volumes.
Cryptocurrency as an economic resource for Pyongyang
Interest in this incident is heightened against the backdrop of the long-known activity of North Korean hackers. North Korea regularly appears in reports from blockchain analysts in connection with the activities of crypto hacker groups. The most famous of these is the Lazarus Group. It is credited with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018.
According to a widely held view, cyber operations provide the closed and sanctioned country with funds that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang, and interest in professional analytical tools is a logical continuation of this activity.
Expert opinion: This case is not just a curiosity, but a signal for the entire market. The fact that North Korean hackers have begun systematically studying fundamental metrics like the MVRV Ratio indicates a professionalization of their approach. They are no longer just hacking exchanges, but are trying to analyze market cycles to choose optimal moments for liquidating stolen assets. This makes the task of tracking and blocking their transactions even more difficult for analytical firms and regulators.