CryptoQuant analytics reveals tools used by North Korean crypto hackers: visit from a DPRK IP address
The analytical platform CryptoQuant recorded a unique case: a user visit from an IP address belonging to North Korea (DPRK). The corresponding observation was published on the service's official X account. This incident sheds light on which tools and data North Korean hackers operating in the cryptocurrency space are interested in.
Visit Details: MVRV Ratio and Mac OS X
According to a screenshot from the Amplitude analytics system, the visit parameters are as follows: page title — "Bitcoin: MVRV Ratio", referral from google.com, operating system — Mac OS X, and country — North Korea. The post author suggested that online analytics are now being handled by individuals close to the country's top leadership. If this guess is correct, interest in market metrics is being shown at the highest level.
The assumption about hackers did not arise by chance. In North Korea, access to the global internet is closed to the vast majority of citizens. The internet remains a privilege for a select few associated with state, embassy, or military structures. That is why a visit from a North Korean IP address most likely indicates a state agent.
Judging by the screenshot, the user searched Google for data on the MVRV Ratio metric and landed on the relevant CryptoQuant page. By itself, a single visit does not allow identifying the user and does not directly confirm a connection to state structures. Determining the country by IP address only indicates the network exit point, not a specific person.
Cryptocurrency and the DPRK: Threat Context
Attention to this post is amplified by the context. The DPRK regularly appears in blockchain analysts' reports regarding crypto hacker activity. According to a version common among researchers, cyber operations provide the closed and sanctioned country with funds that are difficult to obtain through legal means. As a result, digital assets have become an important economic resource for Pyongyang.
A number of groups are associated with Pyongyang, the most famous of which is the Lazarus Group. They are attributed with the largest crypto thefts in history, including the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities themselves deny involvement in such attacks.
My expert opinion: This incident is not just a random visit. It demonstrates that North Korean hackers are actively studying fundamental on-chain metrics, such as the MVRV Ratio, to assess the market situation. This indicates a professionalization of their approach: they not only steal assets but also seek to understand macroeconomic cycles to choose the optimal moment for liquidating their loot. The market should consider that behind every major theft lies complex analytical work.