Crypto news

20.06.2026
08:00

Analytical toolkit of North Korean hackers: CryptoQuant recorded a direct visit from an IP address in the DPRK

CryptoQuant, a crypto analytics platform, recorded a unique event: a direct visit to its page from an IP address belonging to North Korea. This incident, which the service reported on social network X, sheds light on which analytical tools are attracting the attention of North Korean cyber specialists.

Understanding the specifics of North Korea's internal internet explains why this visit is the work of professional hackers rather than an ordinary citizen. Access to the global network in the country is severely restricted and is a privilege for a select few—mainly state, diplomatic, and military structures. Therefore, any internet access from North Korean territory with a high degree of probability indicates the actions of a state agent.

Visit Details: What Were They Looking for on CryptoQuant?

The screenshot from the Amplitude analytics system shows key session parameters: the page title—"Bitcoin: MVRV Ratio," a referral from google.com, the operating system Mac OS X, and the country—North Korea. The user searched Google for data on the MVRV Ratio (Market Value to Realized Value) metric and navigated to the relevant CryptoQuant page. The post's author suggested that on-chain analytics is now being handled by individuals close to the country's top leadership. If these guesses are correct, interest in market metrics is being shown at the highest level.

By itself, a single visit does not allow for identifying the user and does not directly confirm a connection to state structures. Determining the country by IP address only indicates the network exit point, not a specific person. However, the context makes this case extremely telling.

Cryptocurrency and North Korea: Context of the Threat

North Korea regularly appears in reports from blockchain analysts regarding the activity of crypto hackers. According to a common version, cyber operations provide the closed and sanctioned country with funds that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang.

Several groups are linked to North Korea, the most famous of which is the Lazarus Group. They are attributed with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities themselves deny involvement in such attacks.

Analyst's Comment: Interest in the MVRV Ratio, a standard on-chain metric, is not extraordinary in itself. However, the fact that the request originates from North Korea, where the internet is a tool for a narrow circle of individuals directly linked to state programs, confirms the systemic nature of their interest in the cryptocurrency market. These are not just hackers stealing funds—they are analysts studying market cycles to plan long-term operations.