North Korean hackers have appeared in CryptoQuant: examining their analytical arsenal
Analytical platform CryptoQuant recorded a visit from a user with an IP address from North Korea. This is not just an ordinary event — given the strict internet isolation in the DPRK, such traffic almost certainly points to professional hackers rather than a random citizen. The details of the visit reveal which tools and metrics North Korean cyber groups are interested in.
According to data from the Amplitude analytics system, the user accessed a page with the Bitcoin metric: MVRV Ratio. The transition was made from google.com, the operating system was Mac OS X, and the country was North Korea. The author of a post on social network X suggested that individuals close to the country's top leadership are behind this visit. If so, interest in market metrics is being shown at the highest level.
Visit details and context
By itself, a single visit does not allow identifying the user or directly confirming a connection to state structures. However, context is extremely important. In North Korea, access to the global network is a privilege for a select few associated with state, embassy, or military structures. That is why a visit from a North Korean IP address highly likely indicates a state agent.
The user searched Google for data on the MVRV Ratio (Market Value to Realized Value) metric, which compares an asset's market capitalization to its realized capitalization and is used to assess whether Bitcoin is overvalued or undervalued relative to the average coin acquisition price. Why exactly this metric was needed by the North Korean is unknown, but the very fact of interest in fundamental on-chain indicators speaks to a high level of analytical training.
Cryptocurrency and the DPRK: an inseparable connection
The DPRK regularly appears in reports from blockchain analysts regarding crypto hacker activity. According to a common version, cyber operations provide the closed and sanctioned country with funds that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang.
Several groups are associated with Pyongyang, the most famous of which is the Lazarus Group. They are attributed with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for about $534 million in 2018. The North Korean authorities themselves deny involvement in such attacks.
Expert comment: The interest of North Korean hackers in metrics like the MVRV Ratio is an alarming signal. This means that state cyber groups are moving from simple attacks to deep market analysis. They are not just stealing assets but trying to understand optimal entry and exit points, making their actions even more dangerous for investors and exchanges. The market should prepare for more sophisticated attacks based on on-chain analytics data.