// 1 CVE · 2 EXPLOIT IN THE LAST 24H
A U.S. government entity paid roughly $1 million in bitcoin to the Kairos ransomware group on June 13, 2025, to prevent the release of over 2 terabytes of stolen data. Kairos never deployed an encryptor; the extortion relied solely on the threat of publication. The payment, traced on-chain to addresses linked to Bybit, OKX, and the Russian service BELQI, highlights the definitive shift toward pure data-theft extortion. The victim is likely Union County, Ohio, identified through filenames in the proof-of-theft matching a May 2025 breach notification affecting 45,487 individuals, though neither the county nor Kairos has confirmed the link.

A U.S. government entity transferred roughly $1 million in bitcoin to the Kairos group on June 13, 2025, capping a month-long negotiation. The payment did not secure the return of encrypted files: Kairos never deployed an encryptor. The goal was to block the release of more than 2 terabytes of stolen data, in a case that documents the decisive shift to pure data-theft extortion. Rakesh Krishnan reconstructed the episode for Ransom-ISAC from leaked negotiation chats and the blockchain trail left by the transfer.

Key Takeaways
  • A U.S. government entity paid roughly 9.44 BTC, equivalent to about $1 million, to the Kairos group on June 13, 2025, to block the publication of exfiltrated data
  • Kairos used no encryptor, locker, or encryption mechanism: the extortion relied exclusively on the threat of disclosing the stolen files
  • The likely victim is Union County, Ohio, identified through filenames in the proof of theft matching the county's public May 2025 data breach notification
  • The payment was traced on-chain to addresses linked to the Bybit and OKX exchanges and the Russian service BELQI, though the final destination of the funds is not verifiable

The Negotiation: From $3 Million to $1 Million, With Decimal Escalation

Kairos opened negotiations with a $3 million demand. The government entity countered at $100,000, then raised its offer to $255,000, then $430,000. The group dropped to $2 million before settling on a final price of $1 million—exactly ten times the initial offer. The negotiation stretched over roughly a month, with Kairos applying pressure through timed countdowns and selective threats concerning data deemed sensitive, particularly the contents of a folder named "prosecutors office."

Kairos claimed to hold over 2 terabytes of data, corresponding to approximately 1.6 million files. Initial access, according to the group's own chat statements, occurred by "simply guessing a password." If confirmed, this places the incident in a category of attacks that require no zero-day exploits or complex vulnerability chains, but instead exploit weak or inadequately protected credentials.

"Paying to make stolen data disappear is an act of faith, and the receipt is written by the thief."

Union County, Ohio: The Likely but Unconfirmed Victim

Files Kairos displayed as proof of possession include names such as Union.xlsx, union co psi template.doc, and union.rar, along with references to "prosecutors office." These elements point to Union County, Ohio, which in May 2025 notified 45,487 residents and staff members of a data breach. The public notice included sensitive data such as SSNs, financial details, fingerprints, and passport numbers. The county's total estimated population is roughly 70,000; the notification affected a significant share of the local community.

Neither Union County nor Kairos has confirmed a link between the June 2025 payment and the government entity involved in the negotiation. The Ransom-ISAC case study rests on inductive correlations, not official statements. This limitation matters: the payment is documented on the blockchain, but the victim's identification remains probable, not certain.

Blockchain Tracing: To Exchanges and Russian Services

The transfer of roughly 9.44 BTC was split into two parts and routed to deposit addresses linked to the Bybit and OKX exchanges and the Russian service BELQI. These nodes represent waypoints in the laundering circuit, not the final destination of the funds. The wallet tied to the operation showed activity through May 2026—eleven months after the payment—indicating the group's financial infrastructure remained active even as Kairos's leak site went offline.

The group's last known victim dates to June 2026. This timeline, combined with the wallet activity, suggests Kairos continued operations beyond the documented incident, though the methods and volumes are not reconstructable from the available dossier.

The "Proof of Deletion" as an Act of Faith

After payment, Kairos provided a file named "proof of deletion" containing a list of filenames. This document does not prove the actual deletion of the original data; it demonstrates only that the attacker had access to the files at the time of negotiation. The exfiltrated data may have been duplicated, archived in multiple locations, or resold to third parties independently of the proof's delivery. The source documents no technical verification measures undertaken by the victim post-payment.

The Kairos case fits a broader trend: according to data reported by The Hacker News, roughly 50% of ransomware attacks in 2025 still included an encryption component, the lowest rate in six years. The shift to pure data-theft extortion removes a traditional detection vector: the absence of an encryptor means no indicators of compromise tied to mass encryption, which typically trigger endpoint monitoring alerts.

Why It Matters

The case documents a structural limit in current defenses: pure data-theft extortion produces no technical artifacts detectable by standard anti-ransomware tools. The exfiltration of 2 terabytes without encryption leaves network traces, but not the anomalous file-access patterns that typically generate detectable cryptographic blocks.

The brief does not specify whether the victim had implemented Data Loss Prevention controls, transfer-volume monitoring, or network segmentation. It does not document whether the government entity initiated post-incident procedures or whether federal or state policies govern extortion payments by public administrations. The dossier reports no specific remedial measures adopted after the payment.

The source does not specify the full nature of the exfiltrated data beyond references to the "prosecutors office" folder and the general categories indicated in the breach notice. It does not emerge whether the data was subsequently published on other channels or appeared on secondary markets.

The Takeaway: When Local Government Pays for Control That Does Not Exist

The $1 million payment bought the county a temporary reprieve: the suspension of publication, not the restoration of security. The asymmetric structure of the negotiation—an offer decupled, a technically useless proof of deletion, an absence of guarantees—reflects the power imbalance between an organization with limited resources and an actor operating through masked identities and unreachable jurisdictions.

The case raises transparency questions the dossier does not resolve: a public entity that pays a ransom without encryption may not have a mandatory obligation to disclose the operation as a "ransomware incident," because no system was technically rendered unusable. This classification gap can prevent accurate counting of the phenomenon's scale and the correct allocation of defense resources.

Sources

Information is based on the cited source and current as of publication.

Sources


Sources and references
  1. thehackernews.com
  2. krebsonsecurity.com
  3. nvd.nist.gov
  4. cyberscoop.com
  5. cisa.gov