Crypto news

20.06.2026
08:30

North Korean hackers exposed themselves: CryptoQuant recorded a visit from an IP address in North Korea.

Analytical platform CryptoQuant has recorded unusual activity: a visit from a user with an IP address belonging to North Korea. This incident sheds light on the tools and metrics that interest North Korean hackers and confirms their deep interest in the digital asset market.

Details of the visit: what was the North Korean user looking for?

According to data from the Amplitude analytics system, the visit was made from a Mac OS X operating system. The user navigated to the page with the Bitcoin: MVRV Ratio metric via a Google search query. The very fact that the IP address belongs to North Korea is a key detail. In the DPRK, access to the global internet is extremely limited and is a privilege for a select few, primarily government agencies, military, and diplomatic circles.

That is why a visit from a North Korean IP almost certainly points to a professional hacker or state agent, rather than an ordinary citizen. The single visit itself does not allow for identifying the user, but the geographic IP binding indicates the network exit point, not a specific person. However, the context heightens suspicions: the DPRK regularly appears in blockchain analysts' reports as one of the main sources of cyberattacks on the crypto industry.

Why the MVRV Ratio metric?

The MVRV Ratio (Market Value to Realized Value) is a key indicator that compares an asset's market capitalization to its realized capitalization. It is used to assess whether Bitcoin is overvalued or undervalued relative to the average coin acquisition price. Why this metric was needed by the North Korean user remains a mystery, but the interest in fundamental market indicators suggests a high level of analytical expertise.

Cryptocurrency and the DPRK: a long-standing history

North Korea has long been associated with the largest crypto thefts in history. The most notorious group is the Lazarus Group. It is credited with stealing over $600 million from the Ronin network (Axie Infinity) in 2022 and hacking the Coincheck exchange for approximately $534 million in 2018. The DPRK authorities, of course, deny involvement in such attacks, but for a country under strict sanctions, digital assets have become an important economic resource.

Expert comment: This incident is not just a curiosity but a signal for the entire industry. North Korean hackers are not only actively attacking exchanges and DeFi protocols but also thoroughly studying fundamental market metrics like the MVRV Ratio. This indicates they are not acting blindly but with a deep understanding of market dynamics. This level of threat can no longer be ignored.