A U.S. government entity paid roughly $1 million to the extortion group Kairos to keep stolen files from being published, according to a Ransom-ISAC case study built on a leaked negotiation chat and the blockchain trail the payment left. Kairos never encrypted a single machine. It stole the data, then charged the victim not to leak it. The victim paid 9.44 bitcoin, worth about $1 million that week, on 13 June 2025, ten times its own opening offer.
The case is a clean example of where ransomware is heading in 2026: no encryptor, no locker, no decryption key, just theft and a threat. It also gives a rare, documented look at how a negotiation actually plays out and where the money goes afterward. The analysis, by Rakesh Krishnan for Ransom-ISAC, reconstructs the entire exchange from the chat log and traces the payment across the blockchain to deposit addresses at three exchanges.
Who is Kairos?
Kairos calls itself a ransomware group, but on this evidence it may not encrypt anything at all. Krishnan found no sign that it ever locked a machine: no encryptor, no locker, no demand for a decryption key. The model is pure data-theft extortion. Kairos steals files, proves it holds them, and charges the victim a fee to keep them off its leak site. That places it alongside a growing set of crews that have dropped encryption entirely because the theft alone is enough leverage. You can track named groups and their listings on the Ransomtracker feed and the threat-group catalogue.
What data did Kairos steal?
Kairos claimed to hold more than 2 TB of data across roughly 1.6 million files. The proof-of-theft files carry names like Union.xlsx, 1 union co psi template.doc, and a final archive called union.rar. Krishnan does not name the victim, but those filenames and the chat content point to Union County, Ohio. The victim has not publicly confirmed the incident, so the identification rests on the leaked evidence rather than an official disclosure. That distinction matters, and we flag it in the Key Facts above rather than stating the victim as settled fact.
How did the negotiation go?
Kairos opened at $3 million. The victim countered at $100,000 and inched up to $430,000, while Kairos dropped to $2 million before fixing a final $1 million deadline. The victim paid $1 million, ten times its own opening number. The leaked chat is the source for these figures, which is what makes the case unusually well documented: most negotiations are never seen from the inside.
Where did the money go?
The payment of roughly 9.44 bitcoin matched about $1 million at that week’s market prices. Within hours it was split in two and pushed through a chain of wallets toward deposit addresses tied to the exchanges Bybit and OKX, and a Russian service called BELQI. Blockchain tracing of that kind is exactly why paying rarely buys silence: the transaction is permanent and public, and the cash-out points are visible to anyone following the trail. Our own look at database ransom economics found most extortion wallets are never paid at all, which makes a $1 million public-sector payment a notable outlier worth studying.
What should public-sector bodies take from this?
Paying a data-theft extortion demand does not delete the data. It funds the operator, marks the victim as willing to pay, and leaves a permanent blockchain record. For a government entity there is an added problem: public money and public records, with the payment itself becoming a story once the chat leaks, as it did here. The defensive priority against theft-only crews is preventing bulk exfiltration in the first place: tight egress controls, alerting on large outbound transfers, and treating stolen credentials from initial access brokers as the likely entry point. Once 2 TB has left the building, the leverage has already shifted.
Frequently asked questions
Did Kairos encrypt any files?
No. Researchers found no encryptor, locker, or decryption demand. Kairos stole the data and charged the victim not to publish it, a pure data-theft extortion model.
How much did the victim pay Kairos?
The victim paid about
Frequently asked questions
million, or 9.44 bitcoin, on 13 June 2025. That was ten times its own opening offer of 0,000, after Kairos began at million.Who was the victim?
The Ransom-ISAC analysis does not name the victim, but the leaked chat and proof files point to Union County, Ohio. The entity has not publicly confirmed the incident.
Can the payment be traced?
Yes. Researchers followed the 9.44 BTC as it was split and moved toward deposit addresses at Bybit, OKX, and the Russian service BELQI. Bitcoin transactions are permanent and public.
How was this case documented?
Rakesh Krishnan reconstructed it for Ransom-ISAC using a leaked negotiation chat and blockchain analysis, giving a rare inside view of the demands, the counters, and the final payment.
