North Korea has set its sights on on-chain metrics: the analytical toolkit of Lazarus hackers revealed.
The world of cryptocurrency analytics has received unexpected confirmation that cybercriminal groups linked to North Korea are reaching a new level. The CryptoQuant platform recorded a visit from a user with an IP address belonging to North Korea. This is not just an ordinary event — the context indicates that professional hackers, not ordinary citizens, are behind this visit.
A screenshot from the Amplitude analytics system, published by the platform, reveals details: the user navigated to the Bitcoin: MVRV Ratio metric page via a Google search, using the Mac OS X operating system. The geolocation by IP itself is merely an exit point on the network, but in the conditions of North Korea, where access to the global internet is strictly limited and a privilege for the select few (government officials, diplomats, and military), such a visit almost certainly points to a state agent.
Interest in the MVRV Ratio metric (market value to realized value ratio) is a key signal. This tool is used to assess whether Bitcoin is overvalued or undervalued relative to the average purchase price of coins. Why would North Korean hackers need this data? The answer is obvious: to plan timing attacks and assess market liquidity. It is likely that the country's leadership or hacker groups, such as the infamous Lazarus Group, are studying fundamental indicators to choose the optimal moment for converting stolen funds.
North Korea has long appeared in reports from blockchain analysts. Pyongyang regularly denies involvement, but experts link it to the largest thefts in cryptocurrency history: the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for $534 million in 2018. For a country under strict sanctions, digital assets have become a critical economic resource.
This case is not just a curious artifact. It demonstrates that North Korean cyber operations are transitioning from crude hacks to analytical intelligence. They are studying the market not as ordinary robbers, but as institutional players armed with professional tools. This increases risks for the entire ecosystem.
Analytical conclusion: The use of metrics such as the MVRV Ratio by North Korean hackers is an alarming sign. It indicates that their tactics are becoming more sophisticated and focused on long-term liquidity. The market should expect more well-planned and large-scale attacks, coordinated with global Bitcoin price movements.