Crypto news

20.06.2026
08:44

North Korean hackers use on-chain analytics: a visit to CryptoQuant has been recorded

The analytical platform CryptoQuant has recorded unusual activity: a user with an IP address from North Korea visited a page featuring Bitcoin's MVRV Ratio metric. This incident, detected by the Amplitude system, sheds light on the tools used by North Korean crypto hackers to monitor the market.

Visit Details: What the Screenshot Revealed

According to the visit data, the user navigated to the Bitcoin: MVRV Ratio page via a Google search, using the macOS operating system. The country of origin is North Korea. The post's author, CryptoQuant founder Ki Young Ju, suggested that this visit was not from ordinary users but from high-ranking government officials or professional hackers linked to state structures.

This assumption is not unfounded. In North Korea, access to the global internet is severely restricted and available only to a select few—government officials, diplomats, and military personnel. Therefore, any visit from a North Korean IP address highly likely indicates a state agent rather than an ordinary citizen.

MVRV Ratio: Why Would North Koreans Need It?

The MVRV Ratio (Market Value to Realized Value) metric compares an asset's market capitalization to its realized value and is used to assess whether Bitcoin is overvalued or undervalued relative to the average purchase price of coins. Why exactly this indicator was needed by the North Korean user remains unknown. However, the very fact of interest in fundamental on-chain analytics suggests a high level of professionalism and a strategic approach to managing crypto assets.

It is worth noting that a single visit does not allow for identifying the user or directly confirming a connection to state structures. Determining the country by IP address only indicates the network exit point, not a specific individual. Nevertheless, the context makes this incident highly revealing.

Context: North Korea and Cryptocurrencies

North Korea regularly appears in blockchain analytics reports due to crypto hacker activity. According to a widespread version, cyber operations provide the closed and sanctioned country with funds that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang.

Several hacker groups are linked to North Korea, the most famous being the Lazarus Group. They are attributed with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities themselves deny involvement in such attacks.

Analyst's Comment: The interest of North Korean hackers in metrics like the MVRV Ratio confirms that their activities go beyond simple thefts. They are actively studying market cycles and macroeconomic indicators to optimize the timing for liquidating stolen assets. This transforms them from ordinary hackers into strategic players capable of manipulating the market.