Analysts at CryptoQuant have detected a North Korean hacker studying Bitcoin on-chain metrics.
The world of cryptocurrency security has received an unexpected yet highly revealing piece of evidence showing how high-ranking individuals from North Korea study market analytics. The CryptoQuant platform recorded a visit from a user with a North Korean IP address, who was specifically interested in Bitcoin's MVRV Ratio metric.
This event is not just a routine log in an analytics system. Given that access to the global internet in North Korea is a privilege reserved for a select few connected to state, military, or diplomatic structures, this visit highly likely points to a professional hacker or state agent. An ordinary North Korean citizen simply does not have the technical capability to access the open internet.
Details of the Anomalous Visit
According to data from the Amplitude system, as cited by an analyst, the visit was made from a Mac OS X operating system. The user navigated to the CryptoQuant page from a Google search, entering a query for the MVRV Ratio metric. By itself, a single visit does not identify an individual, but the geographic IP attribution to North Korea is a powerful signal. This is not just an exit node on the network, but a direct indication that interest in market data originates from the world's most closed-off country.
The MVRV Ratio (Market Value to Realized Value) is a fundamental on-chain indicator that compares an asset's current market capitalization to its capitalization calculated based on the price of each coin's last movement. It is used to assess whether Bitcoin is overvalued or undervalued relative to the average purchase price of holders. Why would a North Korean agent need this specific metric? The answer is obvious: for planning large-scale market operations.
Cryptocurrency as a Geopolitical Tool for Pyongyang
The context of this visit amplifies its significance. North Korea regularly appears in blockchain analytics reports as one of the main sources of cyber threats in the crypto sphere. According to a widely held view, hacking operations, particularly those of the Lazarus Group, generate funds for the regime that cannot be obtained through legal means due to sanctions. Digital assets have become a critically important economic resource for Pyongyang.
It is the Lazarus Group that is attributed with the largest thefts in history: the withdrawal of over $600 million from the Ronin network (Axie Infinity) in 2022 and the hack of the Coincheck exchange for approximately $534 million in 2018. The very fact that representatives of these structures are studying on-chain metrics speaks to their high level of preparation. They do not just steal; they analyze the market to optimize their actions—from choosing the timing for liquidating stolen assets to assessing global sentiment.
Expert opinion: This incident is a clear signal for the entire market. North Korean hackers have transitioned from simple hacking to professional trading and analysis. They are not just robbing; they are managing their portfolios like experienced institutional investors. The market should prepare for the actions of these groups to become increasingly sophisticated and coordinated with macroeconomic conditions.