A U.S. government entity reportedly paid about $1 million in a cyber extortion case involving the threat actor group known as Kairos, according to a case study published by Rakesh Krishnan for Ransom-ISAC. The findings are based on a leaked negotiation chat combined with blockchain analysis tracing the payment flow. The incident stands out not only for the scale of the payment but also for the nature of the attack, which appears to rely entirely on data theft and extortion rather than traditional ransomware encryption.
Krishnan’s analysis indicates that Kairos may not function as a conventional ransomware group at all. No evidence was found of file encryption activity, no locker or decryptor was identified, and no ransom key was demanded. Instead, the operation centered on stealing sensitive data and pressuring the victim into paying to prevent public release. The victim is not officially named, but indicators in the negotiation logs point toward Union County, Ohio. The leaked file references include Union.xlsx, 1 union co psi template.doc, and a compressed archive labeled union.rar. Within the negotiation, attackers specifically referenced a folder tied to the prosecutors office, warning that exposure of the material could be used to assist criminals in avoiding prosecution.
The broader context aligns with confirmed disclosures from Union County, Ohio in May 2025, when officials reported detection of ransomware activity within its network and later informed 45,487 residents and staff that personal data had been compromised. The exposed records reportedly included Social Security details, financial information, fingerprints, and passport numbers, affecting a large portion of the county population of approximately 70,000 residents. While neither Union County nor Kairos has confirmed direct attribution, the alignment between leaked negotiation artifacts and the known incident suggests a potential connection. The payment was reportedly completed on June 13, 2025, with the county allegedly paying roughly 9.44 bitcoin, valued at around $1 million at the time, after initially attempting negotiations starting at $100,000.
The negotiation process extended for roughly one month, during which Kairos initially demanded $3 million, claiming possession of more than 2 terabytes of stolen data consisting of approximately 1.6 million files. The victim gradually increased offers from $100,000 to $255,000 and then $430,000, while Kairos reduced its demand to $2 million before setting a final requirement of $1 million with a deadline threat of publication. Blockchain analysis shows the 9.44 BTC payment was split and moved through multiple wallets within hours, eventually reaching addresses associated with exchanges including Bybit, OKX, and a Russian service identified as BELQI. The attackers also provided what they described as proof of deletion, though only file listings were shared, offering no technical verification that the stolen data had been destroyed.
Security researchers note that the Kairos case reflects a broader shift in extortion tactics, where encryption is increasingly absent and stolen data itself becomes the primary leverage. Industry reporting from Sophos in 2025 indicates that only about half of ransomware incidents now involve encryption, marking a multi year low, with some groups eliminating it entirely. Similar behavior has been observed in operations such as Silent Ransom Group, which has conducted purely data theft based extortion campaigns against government, legal, and financial organizations without deploying ransomware payloads. The negotiation pattern also mirrors leaked communications from groups like Black Basta and Conti, where ransom demands follow predictable escalation and concession cycles. Kairos has since gone inactive, with its leak site offline, although associated wallets were reportedly active as recently as May 2026, suggesting continued financial movement despite apparent operational silence.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.





