U.S. Government Entity Pays $1 Million in Data-Theft Extortion by Kairos
A recent incident involving a U.S. government entity has highlighted the evolving landscape of cyber extortion. This entity reportedly paid approximately $1 million to prevent the public release of stolen files, as detailed in a case study that analyzed leaked negotiation chats and the blockchain trail of the payment.
The Nature of the Threat
The group behind the extortion, known as Kairos, presents a unique challenge in the cybersecurity realm. Unlike traditional ransomware gangs, which typically encrypt files and demand a ransom for decryption keys, Kairos appears to have employed a different tactic. Investigations revealed no evidence of file encryption or system locking. Instead, the group stole sensitive files and threatened to publish them unless paid.
While the specific victim has not been officially named, evidence points to Union County, Ohio. The stolen files included sensitive documents such as spreadsheets and templates, with one folder specifically marked “prosecutors office.” The attackers warned that leaking this folder could jeopardize ongoing legal proceedings.
Context of the Incident
In May 2025, Union County publicly acknowledged a ransomware detection on its network, subsequently notifying over 45,000 residents and staff that their data had been compromised. This breach affected a significant portion of the county’s population, which is roughly 70,000. The stolen data included Social Security numbers, financial information, fingerprints, and passport numbers.
Neither Union County nor Kairos has confirmed their connection, but if substantiated, this incident marks a significant financial decision by a local government to pay a ransom that was never publicly disclosed. The Hacker News has reached out to the Union County Commissioners’ Office for further comment.
Negotiation Dynamics
The negotiation process lasted about a month, beginning with Kairos demanding $3 million for the release of over 2 terabytes of data, comprising approximately 1.6 million files. The county’s initial offer was $100,000, which gradually increased to $430,000. Eventually, Kairos lowered its demand to $1 million, setting a firm deadline for payment to avoid public disclosure of the files.
The payment was made on June 13, 2025, amounting to roughly 9.44 bitcoins, equivalent to about $1 million at the time. Following the transaction, the funds were quickly split and routed through multiple wallets, eventually reaching deposit addresses associated with various cryptocurrency exchanges, including Bybit and OKX.
Implications of Data Extortion
This incident underscores a significant shift in the tactics employed by cybercriminals. Union County labeled the event as ransomware, yet no files were actually locked, illustrating a trend where extortion is increasingly based on the threat of data exposure rather than encryption. A report from Sophos in 2025 indicated that only about half of ransomware attacks involved encryption, marking the lowest rate in six years. Some groups have entirely abandoned encryption in favor of pure data-theft extortion.
The negotiation tactics used by Kairos mirror those seen in other high-profile cases. For example, leaked chats from the Black Basta group revealed similar negotiation patterns, where demands fluctuated significantly before settling on a final payment.
Ongoing Threat Landscape
Although Kairos has not been active recently, with its leak site down and its last known victim reported in June 2026, the movement of funds from wallets associated with the operation as recently as May 2026 indicates that the group may still be operational. This serves as a reminder that the absence of visible activity does not equate to the dissolution of a cybercriminal organization.
For small government networks, the lessons from this incident are critical. Implementing multi-factor authentication is essential, as Kairos reportedly gained access by guessing a password. Additionally, organizations should monitor for unusual login attempts, large data transfers, and the use of temporary file-sharing links. Sensitive records, including legal and HR documents, should be isolated from the broader network to minimize risk. Having a public communication strategy in place before a crisis arises is also advisable, as is treating any assurances from cybercriminals regarding data deletion with skepticism.
This incident serves as a stark reminder of the evolving tactics employed by cybercriminals and the pressing need for robust cybersecurity measures across all sectors.
Source: thehackernews.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.


