A U.S. government agency disbursed $1 million in extortion related to data theft.

A U.S. government agency disbursed $1 million in extortion related to data theft.

      TL;DR: A US government entity reportedly paid around $1 million to the Kairos extortion group to safeguard stolen files, as detailed in a case study by Rakesh Krishnan for Ransom-ISAC, based on a leaked chat from negotiations and blockchain analysis. Although the investigation suggests a connection to Union County, Ohio, neither side has verified it. This case highlights that modern “ransomware” often does not involve encryption.

      According to the case study conducted by researcher Rakesh Krishnan for Ransom-ISAC, a US government entity paid approximately $1 million to prevent the publication of stolen files. The study utilizes a leaked negotiation chat and the blockchain trail of the payment.

      The group involved refers to itself as Kairos, but it may not fit the traditional mold of a ransomware gang. Krishnan reportedly found no encryption mechanism, no file locker, and no requests for a decryption key—only stolen files and a price for their confidentiality.

      The case study does not identify the victim; however, file names in the evidence of theft, including a file named "union.rar," suggest a link to Union County, Ohio. Neither the county nor Kairos has confirmed this association, and The Hacker News has reached out to the county for a response.

      The clues align with a real event. In May 2025, Union County identified ransomware on its network and subsequently informed 45,487 individuals that sensitive data, including Social Security numbers, fingerprints, and passport information, had been compromised.

      If confirmed, this would mean a county of about 70,000 residents made a $1 million payment that was never publicly disclosed. The attacker reportedly focused heavily on a folder labeled "prosecutors office," warning that any leaks could allow criminals to evade prosecution.

      Details of the $1 million agreement reveal that negotiations took place over approximately a month. Kairos initially demanded $3 million, claiming possession of over 2TB of data across roughly 1.6 million files. The county allegedly began negotiations at $100,000 and gradually increased its offer to $430,000, while Kairos reduced its demand to $2 million before settling on a final deadline of $1 million. The victim finalized the payment on June 13, 2025, which was ten times its initial offer.

      The payment of about 9.44 bitcoin was equivalent to approximately $1 million at that week's market rates. Within hours, it was reportedly divided and transferred through a series of wallets towards deposits at Bybit, OKX, and BELQI, a Russian service reminiscent of previous ransomware laundering activities involving WEX and BTC-e.

      The tracing of such transactions offers leads for investigators but often does not provide clear identities. Criminal groups have spent years perfecting methods to launder cryptocurrency through mules, mixers, and loosely regulated exchanges.

      The real value of what was purchased is another question. Kairos provided a "proof of deletion" file, but a list of file names merely indicates that the attacker once possessed the data, and promises to delete stolen information have proven unreliable in the past.

      Even though Union County described the event as ransomware, there was no encryption involved in the Kairos case. An increasing proportion of incidents still labeled as ransomware are now skipping encryption entirely, using the stolen data itself as leverage—a strategy that recent extortion-only attacks have also targeted towards the private sector.

      Sophos reported in 2025 that only about half of ransomware attacks included encryption, down from 70% a year prior, marking the lowest percentage in six years. The Silent Ransom Group, associated with the Conti ecosystem, has conducted non-encryption extortion activities against US law firms, drawing repeated warnings from the FBI.

      The negotiating patterns are also familiar. Following the leak of Black Basta's internal chats in February 2025, one negotiation dropped from a $1.5 million initial demand to a counteroffer of $100,000 and a final payment of $1 million, reflecting a similar trend.

      Kairos has seemingly gone silent, with its leak site taken down and the last known victim reported in June 2026, according to the case study. A related wallet was said to still be in operation as of May, indicating that a dark leak site should not imply that the group is inactive.

      For small government networks, the lessons learned are deliberately unexciting. Kairos purportedly gained access by guessing a password, highlighting the importance of implementing multi-factor authentication and alerts for repeated failed login attempts, which could significantly increase the difficulty of unauthorized access.

      Defenders should also monitor outbound transfers and temporary file-sharing links, like the temp.sh addresses used by the attacker, while keeping legal and citizen records separated from the broader network. Above all, a thief’s proof of deleted data is worth precisely what it cost to create.

Other articles

The Galaxy Z Fold 8 series from Samsung may be priced several hundred dollars higher this year. The Galaxy Z Fold 8 series from Samsung may be priced several hundred dollars higher this year. A recent leak indicates that Samsung's Galaxy Z Fold 8, Fold 8 Ultra, Flip 8, and Galaxy Watch 9 series may debut at significantly increased prices throughout Europe. You can now purchase a frunk fridge for your Model Y directly from Tesla. You can now purchase a frunk fridge for your Model Y directly from Tesla. Tesla has refreshed its store with a new Summer Collection, which includes a $595 Dual Zone Fridge designed specifically to fit in the Model Y's frunk. Hong Kong accounts for more than 50% of China's chip imports. Hong Kong accounts for more than 50% of China's chip imports. In five months, Hong Kong re-exported $124 billion worth of chips to China, accounting for 52% of the mainland's total, as the AI surge establishes the city as Asia's primary semiconductor center. Android 17 presents a compelling argument for disregarding Android version numbers altogether. Android 17 presents a compelling argument for disregarding Android version numbers altogether. Android 17 includes some beneficial updates, but when the most significant everyday enhancement is a Quick Settings button that actually makes sense again, the yearly version number begins to seem rather insignificant. I utilized ASUS' dual-screen laptop as a mobile creative hub, and my desktop PC began to gather dust. I utilized ASUS' dual-screen laptop as a mobile creative hub, and my desktop PC began to gather dust. The ASUS Zenbook Duo UX8407AA features two OLED touchscreens, supports pen input, and includes a detachable keyboard, offering a versatile mobile configuration for designers and multitaskers. India's CG Semi has commenced chip manufacturing in Gujarat. India's CG Semi has commenced chip manufacturing in Gujarat. Modi inaugurates CG Semi's $870 million OSAT facility in Sanand, which will package 200 million chips annually at its inception, as India's semiconductor initiative accelerates.

A U.S. government agency disbursed $1 million in extortion related to data theft.

A leaked conversation and bitcoin transaction indicate that a US government agency paid Kairos $1 million to conceal stolen files, without any encryption, with hints suggesting a connection to Ohio.