Crypto news

20.06.2026
08:15

Analysts at CryptoQuant have identified North Korean hackers studying Bitcoin on-chain metrics.

A landmark event has occurred in the field of cybersecurity: the analytical platform CryptoQuant recorded a visit from a user with an IP address belonging to North Korea. This traffic was directed to a page featuring Bitcoin's MVRV Ratio metric, sparking widespread resonance in the professional community. By itself, a single visit does not allow for identification, but the context provides grounds for serious conclusions.

North Korea is a country with severely restricted internet access. The global network is available only to a narrow circle of individuals associated with state, military, or diplomatic structures. This is precisely why any traffic from North Korea to specialized cryptocurrency resources is highly likely to originate from state agents rather than ordinary citizens.

According to a screenshot from the Amplitude system, the user navigated to the CryptoQuant page via a Google search, using the Mac OS X operating system. The page title is "Bitcoin: MVRV Ratio." This metric compares an asset's market capitalization to its realized capitalization and is used to assess whether Bitcoin is overvalued or undervalued relative to the average coin acquisition price. Why a North Korean hacker would need this information remains a matter of speculation, but the fact itself raises questions.

Cryptocurrency as an Economic Resource for Pyongyang

North Korea regularly appears in blockchain analytics reports due to the activity of hacker groups. According to a widely held view, cyber operations provide the closed and sanctioned country with funds that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang.

The most well-known group associated with North Korea is the Lazarus Group. It is attributed with the largest cryptocurrency thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. North Korean authorities deny their involvement in such attacks, but on-chain analytics data and intelligence reports suggest otherwise.

Expert opinion: A single visit to a page with the MVRV Ratio is not direct evidence of preparations for a new attack. However, it demonstrates that North Korean hackers are actively monitoring market metrics and likely using them to assess optimal entry and exit points for positions. This indicates a high level of their preparedness and integration with the global crypto market.