News

U.S. Government Entity Paid $1 Million to Prevent Data Leak by Kairos Group

A U.S. government entity paid $1 million to the Kairos group to prevent stolen files from being leaked, raising questions about the nature of the attack.

A U.S. government entity, likely Union County, Ohio, paid $1 million to the Kairos group to prevent the leak of stolen files. The incident highlights a shift in cyberattacks from ransomware to pure data-theft extortion.

U.S. Government Entity Paid $1 Million to Prevent Data Leak by Kairos Group

A U.S. government entity paid approximately $1 million to the Kairos group to prevent stolen files from being leaked, according to a new case study by Rakesh Krishnan for Ransom-ISAC. The study is based on a leaked negotiation chat and the blockchain trail of the payment.

Unusual Attack: No Ransomware Involved

The Kairos group, which received the payment, is not believed to be a traditional ransomware gang. Krishnan found no evidence that Kairos ever used encryption or demanded a decryption key. Instead, the group stole files and threatened to publish them unless the victim paid.

The victim, while unnamed in the study, is believed to be Union County, Ohio. The stolen files included names like Union.xlsx and 1 union co psi template.doc, and the attacker specifically threatened to leak a folder marked prosecutors office, which could aid criminals in evading charges.

The $1 Million Payment

The negotiation between Kairos and the victim lasted about a month. Kairos initially demanded 3million,claimingtoholdover2terabytesofdatacomprising1.6millionfiles.Thevictimstartedwithanofferof3 million, claiming to hold over 2 terabytes of data comprising 1.6 million files. The victim started with an offer of 100,000 and gradually increased it to 430,000.Kairosultimatelysettledfor430,000. Kairos ultimately settled for 1 million, threatening to leak the files if the payment was not made by a specific deadline.

The payment, made on June 13, 2025, was approximately 9.44 bitcoin, worth about $1 million at the time. Krishnan traced the funds as they were split and moved through wallets tied to crypto exchanges like Bybit, OKX, and a Russian service called BELQI.

The Victim: Union County, Ohio

The clues in the case study align with a real incident in May 2025, when Union County, Ohio, reported detecting ransomware on its network. The county later notified 45,487 residents and staff that their data had been compromised, including Social Security numbers, financial details, fingerprints, and passport numbers.

Neither Union County nor Kairos has confirmed the connection, but if true, it would mean the county paid $1 million without publicly disclosing the payment. The Hacker News has reached out to the Union County Commissioners' Office for comment.

Shift in Cyberattack Tactics

The Kairos incident highlights a growing trend in cyberattacks: data-theft extortion without encryption. According to a 2025 report by Sophos, only about half of ransomware attacks now involve encryption, the lowest rate in six years. Groups like the Silent Ransom Group have entirely abandoned encryption, relying solely on the threat of leaking stolen data.

The negotiation tactics used by Kairos are also consistent with those of other cybercriminal groups. For example, leaked chats from the Black Basta group in February 2025 revealed a similar pattern of demands and counteroffers.

Kairos Group Status and Lessons Learned

Kairos has gone quiet since its last known victim in June 2026, but a wallet linked to the group was still active as recently as May 2026. This suggests that while the group's leak site is down, its operations may still be ongoing.

For government entities and other organizations, the incident underscores the importance of cybersecurity measures such as:

  • Enabling multi-factor authentication.
  • Monitoring for repeated failed logins and large outbound data transfers.
  • Keeping sensitive records isolated from the rest of the network.
  • Preparing a public statement plan in case of a breach.

Additionally, organizations are advised to treat any promise to delete stolen data with skepticism, as such assurances are often unreliable.