North Korean hackers are monitoring the MVRV metric: a visit to CryptoQuant revealed analytical tools
Analytical platform CryptoQuant has recorded unusual activity: a visit to the site from an IP address belonging to North Korea (DPRK). This event sheds light on the tools and data that professional hackers from this closed country are interested in.
Details of the anomalous visit
According to data from the Amplitude system, the visit was made from the Mac OS X operating system. The user navigated to the page with the Bitcoin: MVRV Ratio metric via a Google search. A single visit in itself does not allow for personal identification, but the context is crucial.
Access to the global internet in the DPRK is a privilege available only to a narrow circle of individuals associated with state, military, or diplomatic structures. An ordinary citizen cannot access the internet without government authorization. Therefore, any visit from North Korea to specialized crypto resources highly likely indicates a state agent, rather than an ordinary user.
Why specifically MVRV Ratio?
The MVRV Ratio metric (market value to realized value) is used to assess whether Bitcoin is overvalued or undervalued relative to the average purchase price of coins. This is a key indicator for major players, allowing them to forecast potential trend reversal points.
The fact that a North Korean user is purposefully searching for this particular indicator, rather than, say, altcoin rates or news, indicates a deep understanding of market analytics. This is not random interest — it is the work of an analyst evaluating Bitcoin's macroeconomic cycles.
Context: Cryptocurrency as an economic resource for Pyongyang
North Korea has long been under sanctions, and legal channels for obtaining foreign currency are extremely limited for it. According to numerous studies, cyberattacks on crypto exchanges and DeFi protocols have become one of the main sources of funding for Pyongyang.
The most well-known group associated with the DPRK is the Lazarus Group. It is credited with the largest thefts in the history of the crypto industry: the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities, of course, deny their involvement in these attacks.
My analysis: This incident is not just a curiosity, but an important signal. It confirms that North Korean hackers are not only engaged in hacks but are also actively studying fundamental market metrics. The interest in the MVRV Ratio indicates that they are trying to synchronize their attacks with market cycles, choosing the most advantageous moments to liquidate stolen assets. This makes them even more dangerous and professional players in the crypto market.