U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case
What happened
A U.S. government entity reportedly paid about $1 million to prevent stolen files from being leaked by an extortion group calling itself Kairos. The case was detailed in a Ransom-ISAC study based on a leaked negotiation chat and blockchain tracing. While Kairos presented itself as a ransomware group, the case showed no evidence of file encryption, a locker, or a decryption demand. The pressure came from data theft and the threat of public exposure.
The victim was not named in the case study, but details in the negotiation chat pointed to Union County, Ohio. The proof-of-theft files included names such as Union.xlsx, 1 union co psi template.doc, and union.rar, and the victim described itself as a small county with limited resources. The attacker also emphasized a folder labeled “prosecutors office,” warning that leaking it could help criminals avoid charges.
The clues align with a real Union County incident disclosed in May 2025, when the county said it detected ransomware on its network and later notified 45,487 residents and staff that their data had been taken. The stolen information reportedly included Social Security numbers, financial details, fingerprints, and passport numbers. Neither Union County nor Kairos has confirmed the connection.
The negotiation lasted about a month. Kairos initially demanded $3 million and claimed to have more than 2 terabytes of data across roughly 1.6 million files. The victim started at $100,000 and later increased its offers to $255,000 and $430,000, while Kairos lowered its demand to $2 million before setting a final price of $1 million. The payment was made on June 13, 2025, in roughly 9.44 bitcoin.
The blockchain trail showed the funds were quickly split and moved through a series of wallets toward deposit addresses tied to Bybit, OKX, and a Russian service called BELQI. Kairos provided a “proof of deletion” file, but the article noted that such proof only shows the attacker once had the files, not that the stolen data was actually deleted. Kairos’s leak site is now down, though a wallet tied to the operation was still moving money as recently as May 2026.
Who is affected
The affected victim appears to be a small U.S. county government, with Union County, Ohio, identified as the likely match based on file names, victim descriptions, and the timing of a previously disclosed breach.
Residents, staff, and other individuals whose data may have been included in the stolen files are also affected. In the Union County case, the exposed information reportedly included sensitive personal and identity data such as Social Security numbers, financial details, fingerprints, and passport numbers.
Other local governments are also affected by the broader lesson. Small public-sector organizations often hold highly sensitive records but may have limited security resources, making them attractive targets for data-theft extortion groups.
Why CISOs should care
This case shows how ransomware has shifted beyond encryption. Kairos allegedly stole files and demanded payment not to publish them, but there was no evidence that systems were locked or that a decryption key was involved.
For CISOs, that changes the response model. Backups are still important, but they do not solve the extortion risk when attackers already have sensitive records, legal files, HR documents, or citizen data.
The case also highlights the limits of paying for deletion. A file list or deletion claim from an attacker cannot prove that stolen data was actually erased, copied nowhere else, or withheld from other criminal actors.
The public-sector angle matters because county governments can hold high-value personal, legal, law enforcement, and administrative records while operating with constrained budgets and lean security teams.
3 practical actions
Strengthen authentication before attackers get in: Kairos reportedly claimed it gained access by guessing a password. CISOs should enforce multi-factor authentication, monitor failed login attempts, and eliminate weak or reused passwords across public-facing services.
Segment sensitive government records: The attacker emphasized a folder tied to the prosecutor’s office. Local governments should separate legal, HR, citizen, financial, and law enforcement records from general network access and apply stricter controls to the most sensitive repositories.
Prepare for data-theft extortion, not just encryption: Organizations should have a response plan for stolen-data threats, including legal review, public communications, notification workflows, blockchain tracing support, and a clear policy on ransom negotiations and deletion claims.
Also on the news today:


