Close Menu
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) Instagram Threads
Ransomnews
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) LinkedIn
Ransomnews
Cybercrime

Kairos took $1M from a US government body and encrypted nothing

Ransomnews Research TeamBy Ransomnews Research TeamJuly 10, 2026Updated:July 10, 2026No Comments5 Mins Read17 Views
Share Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Kairos took $1M from a US government body and encrypted nothing, ransomnews.com
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

A U.S. government entity paid roughly $1 million to the extortion group Kairos to keep stolen files from being published, according to a Ransom-ISAC case study built on a leaked negotiation chat and the blockchain trail the payment left. Kairos never encrypted a single machine. It stole the data, then charged the victim not to leak it. The victim paid 9.44 bitcoin, worth about $1 million that week, on 13 June 2025, ten times its own opening offer.

// KEY FACTS

Threat actor
Kairos
Victim
U.S. government entity (evidence points to Union County, Ohio) · Government / public sector · United States
Timeline
Attack: 2025-06-13  ·  Disclosed: 2026-07-02
Data claimed
claimed 2 TB / ~1.6 million files · County records; proof files named Union.xlsx, 1 union co psi template.doc, union.rar
Ransom status
Paid ~$1M (9.44 BTC) on 2025-06-13
Verification
Based on a leaked negotiation chat and blockchain analysis by Rakesh Krishnan for Ransom-ISAC; chat points to Union County, Ohio; victim has not publicly confirmed

The case is a clean example of where ransomware is heading in 2026: no encryptor, no locker, no decryption key, just theft and a threat. It also gives a rare, documented look at how a negotiation actually plays out and where the money goes afterward. The analysis, by Rakesh Krishnan for Ransom-ISAC, reconstructs the entire exchange from the chat log and traces the payment across the blockchain to deposit addresses at three exchanges.

Who is Kairos?

Kairos calls itself a ransomware group, but on this evidence it may not encrypt anything at all. Krishnan found no sign that it ever locked a machine: no encryptor, no locker, no demand for a decryption key. The model is pure data-theft extortion. Kairos steals files, proves it holds them, and charges the victim a fee to keep them off its leak site. That places it alongside a growing set of crews that have dropped encryption entirely because the theft alone is enough leverage. You can track named groups and their listings on the Ransomtracker feed and the threat-group catalogue.

What data did Kairos steal?

Kairos claimed to hold more than 2 TB of data across roughly 1.6 million files. The proof-of-theft files carry names like Union.xlsx, 1 union co psi template.doc, and a final archive called union.rar. Krishnan does not name the victim, but those filenames and the chat content point to Union County, Ohio. The victim has not publicly confirmed the incident, so the identification rests on the leaked evidence rather than an official disclosure. That distinction matters, and we flag it in the Key Facts above rather than stating the victim as settled fact.

How did the negotiation go?

Kairos opened at $3 million. The victim countered at $100,000 and inched up to $430,000, while Kairos dropped to $2 million before fixing a final $1 million deadline. The victim paid $1 million, ten times its own opening number. The leaked chat is the source for these figures, which is what makes the case unusually well documented: most negotiations are never seen from the inside.

Kairos negotiation timeline Attacker demand (green) vs victim offer (amber), USD $3.0M open $0.1M counter $2.0M drop $0.43M counter $1.0M paid Source: Ransom-ISAC case study, leaked negotiation chat, June 2025

Where did the money go?

The payment of roughly 9.44 bitcoin matched about $1 million at that week’s market prices. Within hours it was split in two and pushed through a chain of wallets toward deposit addresses tied to the exchanges Bybit and OKX, and a Russian service called BELQI. Blockchain tracing of that kind is exactly why paying rarely buys silence: the transaction is permanent and public, and the cash-out points are visible to anyone following the trail. Our own look at database ransom economics found most extortion wallets are never paid at all, which makes a $1 million public-sector payment a notable outlier worth studying.

What should public-sector bodies take from this?

Paying a data-theft extortion demand does not delete the data. It funds the operator, marks the victim as willing to pay, and leaves a permanent blockchain record. For a government entity there is an added problem: public money and public records, with the payment itself becoming a story once the chat leaks, as it did here. The defensive priority against theft-only crews is preventing bulk exfiltration in the first place: tight egress controls, alerting on large outbound transfers, and treating stolen credentials from initial access brokers as the likely entry point. Once 2 TB has left the building, the leverage has already shifted.

Frequently asked questions

Did Kairos encrypt any files?

No. Researchers found no encryptor, locker, or decryption demand. Kairos stole the data and charged the victim not to publish it, a pure data-theft extortion model.

How much did the victim pay Kairos?

The victim paid about

Frequently asked questions

million, or 9.44 bitcoin, on 13 June 2025. That was ten times its own opening offer of 0,000, after Kairos began at million.

Who was the victim?

The Ransom-ISAC analysis does not name the victim, but the leaked chat and proof files point to Union County, Ohio. The entity has not publicly confirmed the incident.

Can the payment be traced?

Yes. Researchers followed the 9.44 BTC as it was split and moved toward deposit addresses at Bybit, OKX, and the Russian service BELQI. Bitcoin transactions are permanent and public.

How was this case documented?

Rakesh Krishnan reconstructed it for Ransom-ISAC using a leaked negotiation chat and blockchain analysis, giving a rare inside view of the demands, the counters, and the final payment.

Sources and further reading

  • Ransom-ISAC: Kairos data-extortion case study
  • The Hacker News: U.S. government entity paid Kairos $1 million
  • Security Affairs: U.S. government agency paid $1M to Kairos
  • Ransomnews: Ransomware ditched encryption in May 2026
  • Ransomnews: 62% of database ransom wallets were never paid
Share. Facebook Twitter Pinterest LinkedIn Tumblr Telegram Email Copy Link
Previous ArticleJadePuffer: the first AI agent to run a ransomware attack
Next Article Anubis ransomware is exploiting Citrix Bleed 2 for access
Ransomnews Research Team

The Ransomnews Research Team is the collective byline used for collaborative pieces, editorial briefings, and articles drawing on contributions from multiple researchers. Coverage spans ransomware operations, breach economics, threat actor profiling, OSINT methodology, and emerging risks across security, privacy, and AI.

Related Posts

Anubis ransomware is exploiting Citrix Bleed 2 for access

July 10, 2026

XSS forum: from DaMaGeLaB to the 2025 takedown

June 29, 2026

1.16 billion attacks: how the FortiBleed crew broke FortiGate

June 19, 2026

Comments are closed.

Facebook X (Twitter) LinkedIn
© 2026 Ransomnews.com

Type above and press Enter to search. Press Esc to cancel.

Cookies on Ransomnews

We use strictly-necessary cookies to run the site and may use first-party analytics to understand which articles are read. Some pages contain affiliate links — when you click one, the affiliate network sets cookies on the merchant's domain to attribute the referral. See the Cookie Policy and Affiliate Disclosure for detail.

RANSOMNEWS.COM

Tracking the criminal infrastructure of the internet.

Independent coverage of ransomware, breach economics, threat actors, privacy, AI security, and the open-source investigation toolkit.

// Topics

  • News
  • Security
  • Privacy
  • Cybercrime
  • AI
  • OSINT
  • Threat Groups
  • Stealer Logs
  • Ransomtracker
  • Stealercheck
  • FortiBleed Checker

// Site

  • About Us
  • Editorial Team
  • Contact
  • Tip Line
  • Editorial

// Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Funding & Independence
  • RSS Feed
© 2026 Ransomnews.com · Tracking the criminal infrastructure of the internet.