Key Highlights
- CryptoQuant CEO Ki Young Ju shared a screenshot showing a North Korean IP address visiting the platform’s Bitcoin MVRV Ratio page.
- The user-property data listed the visitor’s country as North Korea and the device family as Mac OS X.
- The post comes against the backdrop of repeated DPRK-linked crypto hacks, including Bybit, KelpDAO, WazirX, and other major incidents.
CryptoQuant founder and CEO Ki Young Ju said a North Korean IP address accessed the platform’s Bitcoin MVRV Ratio page, drawing attention to a rare country-level signal from one of the most closely watched jurisdictions in crypto crime reporting.
The screenshot shared by Ki on X showed the visited page as “Bitcoin: MVRV Ratio | CryptoQuant.” The referrer was listed as Google, the country was marked as North Korea, and the device family was shown as Mac OS X.
Ki joked in the post that the “Supreme Leader’s trading desk” was doing on-chain research. The post quickly drew attention because Bitcoin MVRV is widely used by traders and analysts to assess whether Bitcoin is trading above or below its realized value.
North Korean IP reached Bitcoin valuation page
Bitcoin MVRV compares Bitcoin’s market value with its realized value. The metric is commonly used to identify overheated market conditions, capitulation zones, and long-term valuation bands.
The CryptoQuant screenshot does not show a wallet, a transaction, or an executed trade. It only shows that a session marked as North Korea reached a Bitcoin MVRV page through Google.
The device field added another layer to the post. The screenshot listed the visitor’s device family as Mac OS X. Apple’s global trade compliance policy lists North Korea under prohibited destinations and states that the exportation, reexportation, sale, or supply of Apple goods, software, technology, technical data, or services to North Korea is strictly prohibited without prior U.S. government authorization.
The country and device signal, therefore, stand out because the session was marked as North Korea while the device family was listed as Mac OS X. The screenshot, however, does not identify the user or establish whether the device was physically located inside North Korea.
Should crypto traders worry?
The post does not indicate immediate market risk for Bitcoin. A visit to an MVRV page does not mean an entity is buying, selling, or preparing to move funds.
For traders, the concern is broader. North Korea-linked actors have repeatedly used crypto markets, exchanges, bridges, and laundering routes as part of large-scale cyber operations. The CryptoQuant screenshot adds a public-facing analytics signal to that larger pattern, but it does not prove that a state trading desk is active.
There is also no public evidence yet that DPRK-linked groups are directly logging into named on-chain analytics platforms such as CryptoQuant, Dune, Nansen, or Arkham as part of a documented operational workflow.
The available evidence is stronger on the laundering side. Investigators and blockchain intelligence firms have repeatedly tracked DPRK-linked funds moving through wallets, decentralized exchanges, cross-chain services, mixers, OTC brokers, and other crypto infrastructure.
DPRK links to crypto hacks remain in focus
The post comes as North Korea-linked crypto activity remains under global scrutiny. The FBI formally attributed the February 2025 Bybit hack to North Korea, saying DPRK-linked TraderTraitor actors stole approximately $1.5 billion in virtual assets from the exchange.
The Bybit hack attribution remains one of the most significant law-enforcement claims against DPRK-linked crypto actors. The FBI said the stolen assets were rapidly converted into Bitcoin and other virtual assets and spread across thousands of addresses.
Chainalysis estimated that North Korean hackers stole at least $2.02 billion in cryptocurrency in 2025, a 51% increase from 2024. The firm said the 2025 figure pushed DPRK-linked all-time crypto theft to $6.75 billion.
TRM Labs later said North Korea-linked hackers accounted for 76% of all crypto hack losses through April 2026. The firm attributed $577 million in losses to two incidents: the $285 million Drift Protocol hack and the $292 million KelpDAO bridge exploit.
North Korea has denied the allegations. In May, Pyongyang rejected claims tied to the KelpDAO exploit, calling U.S. accusations politically motivated and warning of countermeasures.
Lazarus Group’s crypto record
Lazarus Group, a North Korea-linked hacking collective, has been repeatedly connected to major crypto attacks. The group has been tied by investigators and blockchain researchers to exchange breaches, DeFi exploits, bridge attacks, and malware campaigns.
The group’s wider record includes incidents involving Bybit, Ronin, and KelpDAO. A detailed breakdown of Lazarus Group’s crypto hacks showed how major thefts have shaped the group’s reputation as one of the most persistent threats in the digital asset sector.
Indian users have also been affected by suspected DPRK-linked activity. In 2024, Lazarus Group was linked to the $230 million WazirX hack, one of the largest crypto security incidents involving an Indian exchange.
More recently, Humanity Protocol’s $36 million exploit involved phishing indicators consistent with known DPRK-linked intrusion techniques, according to Quantstamp’s investigation.
The Mac OS X field in Ki’s screenshot also overlaps with earlier reporting on DPRK-linked malware campaigns. Lazarus Group has previously been reported to use macOS-focused malware targeting crypto firms through fake meeting invites and social-engineering attempts.
DPRK-Linked Crypto Incidents
| Year | Incident | Reported Loss | Details |
|---|---|---|---|
| 2025 | Bybit hack | About $1.5 billion | FBI attributed the theft to DPRK-linked TraderTraitor actors. |
| 2025 | DPRK-linked crypto theft | At least $2.02 billion | Chainalysis estimated a 51% yearly increase in stolen value. |
| 2026 | Drift Protocol hack | $285 million | TRM Labs attributed the incident to North Korean hackers. |
| 2026 | KelpDAO bridge exploit | $292 million | TRM Labs linked the exploit to DPRK-linked activity. |
| 2024 | WazirX hack | About $230 million | Lazarus Group was linked to the breach by on-chain investigators. |
What it means for the market
The CryptoQuant screenshot does not show a direct threat to Bitcoin’s price. It shows that a user session marked as North Korea accessed a market valuation page that traders commonly use to read Bitcoin cycle conditions.
That makes the post relevant for market observers, but not because it points to an immediate trade. It matters because DPRK-linked actors have a long record of operating across crypto infrastructure, from theft and laundering to malware and social engineering.
For now, the strongest reading is that a North Korean IP appeared to access Bitcoin MVRV data through Google. Whether that was simple research, operational monitoring or something else remains unknown.
Also Read: G7 Declares North Korean Crypto Heists a Top Global Security Threat
