U.S. Government Entity Allegedly Paid Kairos About $1 Million in Data Extortion Case
A U.S. government organization appears to have paid roughly $1 million after attackers threatened to publish stolen data, according to a new case study from Ransom-ISAC researcher Rakesh Krishnan. The...
A U.S. government organization appears to have paid roughly $1 million after attackers threatened to publish stolen data, according to a new case study from Ransom-ISAC researcher Rakesh Krishnan. The analysis is based on a leaked negotiation chat and cryptocurrency tracing that followed the payment.
The incident is notable because the group using the name Kairos does not seem to have used traditional ransomware tactics. Krishnan said he found no evidence of file encryption, decryption tools, or a locker mechanism. Instead, the operation centered on stealing data and pressuring the victim not to release it publicly.
The victim was not named in the study, but details in the chat suggest Union County, Ohio. File names in the material included references such as Union.xlsx and union.rar, and the attacker repeatedly pointed to a folder labeled for the prosecutors office, implying the documents could be especially damaging if exposed.
Union County said in May 2025 that it had detected ransomware activity and later notified tens of thousands of residents and employees that personal information had been stolen. The exposed records reportedly included Social Security numbers, financial data, fingerprints and passport information. The county has not publicly confirmed a link to Kairos, and the group has also not acknowledged the connection.
How the negotiation unfolded
According to the leaked chat, the extortion demand began at $3 million and moved through several rounds of bargaining. The county’s offers increased from $100,000 to $255,000 and later $430,000, while Kairos lowered its demand to $2 million before settling on a final ask of $1 million.
The payment, made on June 13, 2025, was about 9.44 bitcoin at the time. Krishnan said the funds were quickly split and moved through multiple wallets before reaching addresses associated with major exchanges and a Russian cryptocurrency service.
The case reflects a broader shift in extortion-driven attacks, where some operators no longer bother encrypting systems and instead rely on stolen data alone to force payment. Security researchers have noted that this model has become increasingly common in recent years.
- Kairos allegedly threatened to leak sensitive county records if payment was not made.
- A “proof of deletion” file was provided, but that does not verify the data was actually erased.
- Researchers say defenses such as multi-factor authentication and segmentation remain key for local governments.
Krishnan said Kairos’ public leak site is no longer active, though wallet activity linked to the operation reportedly continued into 2026.
