The analytical tracker CryptoQuant detected a North Korean hacker: what he was looking for and why it matters
The blockchain analytics platform CryptoQuant recorded an anomalous visit. A user from North Korea, operating from a DPRK IP address, accessed the page for Bitcoin's MVRV Ratio metric. This case is not just a statistical anomaly, but a rare opportunity to glimpse into the toolkit and interests of North Korean cyber groups.
A screenshot from the Amplitude system, published on social network X, reveals session details: the page title "Bitcoin: MVRV Ratio," a referral from google.com, the operating system Mac OS X, and, of course, the country — North Korea. The post's author reasonably assumed that this visit was made by professional hackers, not an ordinary citizen.
Why is this logical? In the DPRK, access to the global internet is a privilege for a narrow circle of individuals associated with state, military, or diplomatic structures. An ordinary resident cannot simply go online. Therefore, a visit from a North Korean IP address highly likely indicates a state agent.
What exactly was the North Korean user looking for?
According to the data, the user searched Google for information on the MVRV Ratio metric and navigated to the relevant CryptoQuant page. The MVRV Ratio (Market Value to Realized Value) compares an asset's market capitalization to its realized capitalization and is used to assess whether Bitcoin is overvalued or undervalued relative to the average coin acquisition price.
Why would a North Korean need this metric? The exact answer is unknown. However, the context is highly revealing. The DPRK regularly appears in blockchain analysts' reports regarding crypto hacker activity. According to a widely held view, cyber operations provide the closed and sanctioned country with funds that are difficult to obtain through legal means. Digital assets have become an important economic resource for Pyongyang.
Several groups are linked to the DPRK, the most famous being the Lazarus Group. They are attributed with the largest crypto thefts in history, including the theft of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The North Korean authorities themselves deny involvement in such attacks.
Of course, a single visit does not allow for identifying the user or directly confirming a connection to state structures. Determining the country by IP address only indicates the network exit point, not a specific person. But combined with the overall context of cyber threats from the DPRK, this case serves as another reminder that North Korean hackers are actively monitoring market metrics, possibly to plan their operations or assess the market.
Expert opinion from Cryptalist: This incident highlights that North Korean cyber groups are not only technically advanced but also deeply analytically savvy. Interest in the MVRV Ratio suggests they are tracking Bitcoin's macroeconomic signals to choose optimal moments for liquidating stolen funds. The market should prepare for these players' actions to become increasingly sophisticated and tied to market cycles.