NICKEL GLADSTONE

NICKEL GLADSTONE is a subgroup of NICKEL ACADEMY that CTU researchers assess with high confidence focuses on acquisitive financial crime, targeting financial institutions and conducting online criminal activities for financial gain. This focus on finance expands NICKEL GLADSTONE’s geographic scope beyond other North Korean groups, to include organizations in North and South America, Europe, Africa, and Asia. The group appears particularly interested in targeting companies operating in countries that have weaker financial regulatory regimes.

NICKEL GLADSTONE came into prominence in February 2016, when the news broke about Bangladesh Central Bank's loss of $81 million USD through fraudulent messages in the SWIFT network. Since then, the group conducted similar operations against financial institutions such as banks in Vietnam, Ecuador, Taiwan, Chile, and India. NICKEL GLADSTONE was likely responsible for compromising the Polish Financial Supervision Authority (PFSA) website in February 2017.

NICKEL GLADSTONE has also increasingly targeted cryptocurrency exchanges and other decentralized finance organizations since at least 2018, using apps to mimic legitimate cryptocurrency trading applications and platforms to steal wallet contents. A campaign in 2022, named TraderTraitor, involved a set of malicious cryptocurrency trading applications that targeted employees of organizations engaged in blockchain research.

CTU researchers assess with moderate confidence that NICKEL GLADSTONE shares tools with NICKEL ACADEMY. Analysis of NICKEL GLADSTONE’s custom malware families suggests strong ties to previous North Korean operations, including Operation Blockbuster and the Sony Pictures intrusion. However, NICKEL GLADSTONE has demonstrated an operational focus and sophistication that distinguish it from the more voluminous NICKEL ACADEMY activity.