North Korean hackers disguised themselves with interest in on-chain metrics: surveillance tools revealed
Analytical platform CryptoQuant recorded a unique case: a visit from a user with an IP address belonging to North Korea. This incident, which the service reported in its post on platform X, sheds light on which analytical tools are of interest to North Korean state-level crypto hackers.
A screenshot from the Amplitude analytics system, published in the post, reveals session details. The user navigated to the Bitcoin metric page: MVRV Ratio via a Google search. Their device ran on Mac OS X, and the country of entry was listed as North Korea. The post's author reasonably assumed that this visit was not from ordinary citizens, but from representatives of the country's top leadership overseeing hacking operations.
Why this matters
In North Korea, access to the global network is a privilege for the few. The internet is mainly available to those connected to state, diplomatic, or military structures. Therefore, a single visit from a North Korean IP address highly likely indicates a state agent, not a random user.
This visit alone does not allow identifying the user, but it clearly points to the network exit point. Moreover, it demonstrates that North Korean hackers are actively studying on-chain metrics, particularly the MVRV Ratio (market value to realized value). This indicator is used to assess whether Bitcoin is overvalued or undervalued relative to the average coin acquisition price. Why exactly this metric was needed by a North Korean representative remains a mystery, but the very fact of interest in such data is telling.
Context: Cryptocurrency as Pyongyang's economic resource
This incident fits into the bigger picture. North Korea regularly appears in blockchain analytics reports regarding crypto hacker activity. According to a common version among researchers, cyber operations bring funds to the closed and sanctioned country that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang.
Several hacker groups are associated with North Korea, the most famous being the Lazarus Group. They are blamed for the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for about $534 million in 2018. The North Korean authorities themselves, of course, deny any involvement in such attacks.
Expert commentary from Cryptalist: This case is not just a curiosity, but a clear signal for the market. The fact that North Korean hackers have started taking an interest in fundamental on-chain metrics indicates a growth in their analytical maturity. They are no longer just hacking wallets—they are studying macroeconomic indicators to plan their operations. For investors, this means that any unusual movement of large volumes, especially during extreme MVRV values, could be linked to the actions of state players, rather than just market panic or greed.