NICKEL ACADEMY is Sophos reporting on North Korean Reconnaissance General Bureau cyber operations that are not assigned to a narrower subgroup. The profile says the activity has operated since at least 2009, with South Korean government and commercial organizations as primary targets and global targeting across government, financial, transportation, utility, NGO, cryptocurrency, and defense sectors. Reported tradecraft includes spearphishing, malware disguised as legitimate applications, stolen-code-signing certificates, distributed denial-of-service activity, and custom malware families such as Destover, KorHigh, and Volgmer. The source also links the actor set to destructive operations, including the Sony Pictures attack, and frames the activity as supporting North Korean domestic and foreign policy objectives.