U.S. Government Agency Paid $1M to Data Extortion Group Kairos

A U.S. government agency paid $1M to Kairos, a group focused on data theft and extortion rather than ransomware, Ransom-ISAC reports.

A new case study from Ransom-ISAC reconstructs a complete data-extortion incident involving a U.S. government body and a threat actor called Kairos, using a leaked negotiation transcript and blockchain tracing of the ransom payment. The victim paid roughly $1 million in Bitcoin on June 13, 2025. The uncomfortable detail: Kairos has never been confirmed to have deployed ransomware at all.

“On 19 May 2025, a U.S. government entity was reportedly targeted by Kairos. Kairos later claimed the access was obtained through a brute-force credential attack. The entity was listed on Kairos’s victim site on 21 May 2025.” reads the report published by Ransom-ISAC.

Rather than deploying encryption, Kairos appears to have focused on data exfiltration and public-exposure pressure. The group claimed to hold more than 1.6 million files — 1,602,775 files in total — and 2 TB of data before making contact.”

No encryptor, no locker binary, no decryption key demand. What Kairos appears to have done is steal data, then charge the victim not to publish it. As the Ransom-ISAC report states:

“No ransomware sample, encryptor, or locker binary has been obtained or confidently linked to Kairos.” continues the reprot. “On the available evidence, the U.S. government body paid a seven-figure ransom to a threat actor whose “ransomware group” status remains unverified and whose leverage appears to have been based on data-theft and publication pressure rather than demonstrated ransomware capability.”

The victim called the incident ransomware. The word no longer means what most people think it means.

The report doesn’t name the victim, citing privacy concerns. The transcript does the naming itself. The requested sample files include documents called Union.xlsx, “1 union co psi template.doc,” and a final archive delivered post-payment called union.rar. The victim describes itself as “a small county with limited resources.”

The timeline fits: in May 2025, Union County, Ohio, disclosed it had detected a network intrusion and later notified 45,487 residents and employees that their data had been stolen, covering most of a county of roughly 70,000 people. The stolen records included Social Security numbers, financial details, fingerprints, and passport numbers. Neither the county nor Kairos has confirmed the connection.

I conducted personal research and I can confirm that Union Count stated cybercriminals accessed the County’s network between May 6 and 18, 2025 and stole some data. By August 25, officials had finished reviewing the breach and had begun notifying affected individuals. However, the Government entity at the time confirmed a ransomware attack, as reported in the data breach notification letter.

“On May 18, 2025, the County detected ransomware on our computer network. As soon as we learned this, we immediately launched an investigation with assistance from nationally recognized third-party cybersecurity and data forensics consultants to secure our network and investigate the scope of the incident. We also alerted federal law enforcement.” reads the data breach notification letter sent to the impacted individuals and shared with the Maine General Attorney. “Through our investigation, we determined that the cyber criminals accessed our network from May 6, 2025 through May 18, 2025, and took some County data.”

Kairos listed the victim on its leak site on May 21, 2025, two days after first contact. The group claimed to hold more than 2 terabytes of data, specifically 1,602,775 files. Kairos later claimed the access was obtained through a brute-force credential attack, a single-guessed password.

The transcript covers 28 days of back-and-forth. Kairos opened at $3 million. The victim countered at $100,000 on June 4, then raised to $255,000, then $430,000. Kairos dropped to $2 million, held there briefly, then issued a hard deadline: $1 million by Friday or the files go public. The victim paid. The final payment was 33 times the first offer and 2.3 times the highest recorded counter.

Kairos ran a disciplined negotiation. Responses came within minutes to a few hours throughout the 28-day window, suggesting an actively monitored channel. The pressure tactics were textbook: a countdown timer, escalating deadlines, selective reference to the most sensitive material. Kairos specifically highlighted a folder marked “prosecutors office,” warning that leaking it would help criminals avoid prosecution and cause a public outcry.

“Kairos maintained leverage by controlling deadlines, publication threats, and proof-of-access artefacts. The affected entity’s responses are consistent with an organization buying time while legal, leadership, financial, and communications decisions were coordinated.” continues the report. “Phrases such as “we appreciate your patience” and “we respect the effort you’ve made” should be read as channel-preservation language, not endorsement of the attacker’s conduct.”

Public-sector incident response requires coordinating legal, financial, leadership, and communications teams simultaneously, and the transcript shows exactly that process playing out in slow motion under deadline pressure.

After payment, Kairos sent over a “proof of deletion” file: a 238 MB text file listing filenames. That list proves the attacker once had the files. It proves nothing about whether they were destroyed. There was no hash verification, no cryptographic binding, no exit-code logging. The same list could be generated by running a script against a copy of the stolen data sitting on a different server. As Ransom-ISAC’s report puts it directly:

“The provided “proof of deletion” was not technically verifiable and should not be treated as evidence that the stolen data was destroyed.” continues the report.

Paying to make stolen data disappear is an act of faith, and the receipt is written by the thief.

Krishnan traced the approximately 9.44 BTC from the Kairos payment wallet through its subsequent movement. Within hours of receipt, the funds split into two branches: 6.61 BTC went to a wallet Ransom-ISAC calls the “Main Guy,” and 2.83 BTC went to a “Helper” wallet. The Main Guy branch moved 6.50 BTC toward a ByBit deposit address three days later. The Helper branch fragmented through a series of intermediate wallets before touching addresses associated with OKX and a Russian exchange called BELQI.

The entire active transfer window ran from June 16 at 15:52 UTC to 19:26 UTC, three hours and 34 minutes. The speed and structure of the movement, rapid splitting into branches, repeated use of the same OKX deposit addresses, routing toward a Russian exchange, reflect deliberate operational tradecraft. The report identifies four high-confidence wallet addresses associated with the payment flow and linked to ByBit, OKX, and BELQI. These are investigative leads, not attribution. Exchange records and subpoenas are what convert blockchain tracing into named individuals.

Kairos first appeared in November 2024 and has listed 88 victims on its leak site. The group operated through a Tor onion address and an email contact at kairossup@onionmail.com, a naming convention that echoes LockBit’s “LockBitSupp” handle, though Ransom-ISAC notes that’s a branding similarity only.

In January 2026, infrastructure hunting identified a likely backend server for the Kairos leak site resolving to 62.182.81.38, hosted on Virtual Systems LLC in Ukraine, an ASN that has appeared in previous malware and Cobalt Strike-related infrastructure reporting. The server was later found displaying a seizure notice attributed to Ukraine’s Security Service Cyber Department. The leak site is now down. A wallet tied to the operation was still moving funds as recently as May 2026. A seized website and an active wallet are two different things.

The broader shift Kairos represents is real and documented. The operational disruption is limited. The legal, reputational, and public-trust pressure is severe, particularly for a county government holding law enforcement records.

“This case illustrates how data-only extortion can create significant pressure even without encryption or operational disruption. Kairos used file-access claims, publication threats, staged concessions, and deadline pressure to secure a successful seven-figure ransom payment from a U.S. government body.” concludes the report. “The blockchain activity provides useful investigative leads, including rapid fund splitting and exchange touchpoints, but it should not be treated as standalone attribution. The strongest finding is operational: public-sector organizations need pre-authorized escalation paths, negotiation support, egress monitoring, and a clear understanding that attacker deletion claims are not independently verifiable.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Kairos)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter