US Government Entity Pays Kairos $1 Million in Data Theft Case

A US government agency paid nearly $1 million to keep stolen files from being leaked, according to a new study by Rakesh Krishnan of Ransom-ISAC, which builds on leaked chatbots and blockchain tracking the rest of the payment.
The strange part: the party that took the money calls itself Kairosbut it may not be a ransomware gang at all. Krishnan found no signs of ever locking a single machine: no encryptor, no locker, no need for a decryption key. The threat was simple. Steal files, then charge the victim not to publish them.
Krishnan did not name the victim, but the conversation points to Union County, Ohio. The plagiarism proof files have names like Union.xlsx, 1 union co psi template.doc, and a final archive called union.rar. The victim calls himself a small county with limited resources. The attacker relied on one folder in particular, labeled “prosecutor’s office,” warning that leaking it would help criminals avoid charges.
The clues fit the original case. In May 2025, Union County, Ohio, said it discovered ransomware on its network and later notified 45,487 residents and employees that their information had been taken, affecting most of the county’s approximately 70,000 residents. Stolen records range from Social Security and financial information to fingerprints and passport numbers.
Neither the district nor Kairos confirmed the connection. But if it agreed, the state government paid an estimated $1 million that it has never disclosed publicly. Hacker News has reached out to the Union County Commissioners’ office for comment. This story will be updated with any feedback.
The negotiations lasted for about a month. Kairos opened for $3 million and claimed to hold more than 2 terabytes of data, some 1.6 million files. This region started at $100,000, went up to $255,000, then $430,000. Kairos went down to $2 million, then set a firm final number: $1 million, pay by Friday, or the files will become public.
![]() |
| On-chain payment: about 9.44 BTC stays in the wallet connected to Kairos. |
It used the usual levels: a countdown timer, hard times, and threats to dump the most sensitive folders first. The district paid on June 13, 2025, ten times its original offer.
The payment was estimated at 9.44 bitcoin, worth about $1 million at the time. Krishnan traced the money from there. Within hours, it was split in two and pushed through a chain of wallets to a deposit address tied to crypto exchange Bybit, OKX, and a Russian service called BELQI.
That kind of hand-wringing by investigators leads, not words. And money didn’t buy anything solid. Kairos posted a “proof of deletion” file, but the list of file names only shows that the attacker once had the files, not that the originals were deleted. Paying to have stolen data disappear is an act of faith, and the receipt is written by the thief.

Union County called what happened to it ransomware, a term everyone is reaching for, but in the Kairos case, nothing was closed. That’s a real change: most so-called ransomware now bypasses encryption and uses the stolen data itself as a pressure point.
Sophos reported in 2025 that only about half of ransomware attacks still involved any encryption, the lowest rate in six years. Some workers have given up entirely. The Silent Ransom Group, an offshoot of Conti, has spent years running pure money for data theft against US law enforcement and unscrupulous financial firms.
Kairos dialogue fits the standard dialogue pattern, too. When Black Basta’s internal negotiations were leaked in February 2025, an analysis of the messages revealed an agreement from $1.5 million to a limit of $100,000 to a fee of $1 million, almost the same arc. Those conversations, and the Conti leaks before them in 2022, are how researchers are now reconstructing how these conversations came about.
Kairos is also silent. The leak site is down, and its last known victim appeared in June 2026. But the wallet tied to operations was still moving money as recently as May 2026, a reminder that a dark leak site is not the same as a dead team.
For anyone using a small government network, the lessons are dull and familiar, which is the point. Turn on multi-factor authentication, as Kairos claims to log in by guessing a password.
View failed duplicate logins, large outgoing data transfers, and file sharing links such as tem.sh addresses that Kairos uses to transfer files. Keep legal, HR, and citizen records walled off across the network. Have a public statement plan ready before you need it. And treat any promise to remove stolen data as nothing.




