A campaign in 2022, named TraderTraitor, involved a set of malicious cryptocurrency trading applications that targeted employees of organizations engaged in blockchain research. NICKEL GLADSTONE has also increasingly targeted cryptocurrency exchanges and other decentralized finance organizations since at least 2018, using apps to mimic legitimate cryptocurrency trading applications and platforms to steal wallet contents. Analysis of NICKEL GLADSTONE’s custom malware families suggests strong ties to previous North Korean operations, including Operation Blockbuster and the Sony Pictures intrusion. This focus on finance expands NICKEL GLADSTONE’s geographic scope beyond other North Korean groups, to include organizations in North and South America, Europe, Africa, and Asia.