North Korean hackers have been exposed while studying on-chain metrics: what CryptoQuant's analysis revealed
Analytical platform CryptoQuant recorded an unusual visit: a user with an IP address from North Korea was studying data on the MVRV Ratio metric. This event, published on social network X, caused widespread resonance in the professional community, as access to the global network in the DPRK is a privilege available only to a narrow circle of people.
According to data from the Amplitude system, recorded in the screenshot, the visitor navigated to the Bitcoin: MVRV Ratio page from a Google search query. The visit was made from the Mac OS X operating system. The single traffic from a North Korean IP itself does not allow for unambiguous identification of the user. However, the context is crucial.
Incident Details
In the DPRK, the internet is a tool primarily accessible to state, military, and diplomatic structures. This is why the appearance of a request from an IP address in this country highly likely indicates a state agent, rather than an ordinary citizen. The author of the post on X, head of CryptoQuant Ki Young Ju, suggested that representatives of the country's top leadership could be behind this visit, making the event even more intriguing.
The MVRV Ratio (Market Value to Realized Value) is a key on-chain metric that compares an asset's market capitalization with its realized capitalization. It is used to assess whether Bitcoin is overvalued or undervalued relative to the average coin acquisition price. Why a North Korean user needed this particular tool remains a matter of speculation, but the very fact of such interest speaks volumes.
Cryptocurrency and the DPRK: Context of the Threat
Attention to this incident is heightened against the backdrop of a long history of cyberattacks attributed to Pyongyang. North Korea regularly appears in reports from blockchain analysts as a key player in the world of crypto hacking. According to a common version, digital assets have become a vital economic resource for the closed and sanctioned country. Cyber operations generate funds that are difficult to obtain through legal means.
The most well-known group associated with the DPRK is the Lazarus Group. This group is attributed with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities themselves deny involvement in such attacks.
Expert opinion. A single visit to CryptoQuant is certainly not direct evidence of preparation for a new attack. However, it highlights the systemic interest of DPRK state structures in analytical tools typically used by professional traders and investors. This suggests that Pyongyang is not just stealing assets but also attempting to gain a deeper understanding of market dynamics, likely to optimize strategies for laundering and liquidating stolen funds. The market should consider that not only analysts but also those seeking to use them for their own purposes may be monitoring familiar on-chain metrics.