A government entity in the US paid about $1 million to extortionists who, according to researchers, did not encrypt a single file on the victim’s network. According to a case study by Rakesh Krishnan for Ransom-ISAC, a group calling itself Kairos used a pure data-theft extortion model: they stole files and demanded payment in exchange for not publishing them. The analysis is based on a leaked negotiation chat and blockchain tracing of the payment. The incident affected tens of thousands of citizens whose personal data — from Social Security numbers to fingerprints — ended up in the hands of the attackers.
Timeline of the incident and negotiations
According to the study, negotiations between Kairos and the victim lasted about a month. The attackers opened the bidding with a demand of $3 million, claiming to have more than 2 terabytes of data — roughly 1.6 million files. The victim, who described themselves in the negotiations as “a small county with limited resources,” started with an offer of $100,000, gradually raising it to $255,000 and then to $430,000.
Kairos lowered its demand to $2 million and then set a “final” amount of $1 million with a strict deadline. The attackers used standard pressure tactics: a countdown timer, compressed timelines, and threats to publish the most sensitive folders first. They placed particular emphasis on a folder labeled “prosecutors office,” warning that publishing it would allow criminals to escape prosecution.
According to the study, payment was made on June 13, 2025 — approximately 9.44 BTC, which at the time was about $1 million. The victim ended up paying ten times its initial offer.
Blockchain tracing and “proof of deletion”
Krishnan traced the flow of funds after payment. According to the analysis, within a few hours the amount was split up and moved through a chain of wallets to deposit addresses presumably associated with the crypto exchanges Bybit, OKX, and the Russian service BELQI. This kind of tracing gives investigators leads but does not allow them to identify specific individuals.
After receiving payment, Kairos provided a “proof of deletion” file. However, as the researcher notes, the list of filenames merely confirms that the attackers once had access to the data — it says nothing about whether the originals were actually destroyed. Any promise to delete stolen data ultimately comes down to trusting the very party that carried out the theft.
Connection to a real-world incident
The researcher does not name the victim directly, but the files mentioned in the leaked negotiations have distinctive names: Union.xlsx, 1 union co psi template.doc, final archive union.rar. In May 2025, Union County, Ohio officially reported the discovery of malicious software on its network and subsequently notified 45,487 residents and employees that their data had been compromised. Among the stolen information were Social Security numbers, financial account details, fingerprints, and passport numbers. The county’s population is about 70,000, meaning the incident affected a majority of residents.
Important caveat: neither Union County nor Kairos has officially confirmed a link between the leaked negotiations and this incident. If the connection is confirmed, it would mean a municipal government paid about $1 million without publicly disclosing the fact of the payment.
Extortion without encryption: a growing trend
Union County described what happened as a ransomware attack. However, in the Kairos case, researchers found no encryptor, no locker, and no demand for a decryption key. The only pressure lever was the stolen data itself.
This is not an isolated case. By available estimates, in 2025 only about half of attacks classified as “ransomware” actually involved encryption — the lowest share in six years. Some groups have abandoned encryption entirely. In particular, Silent Ransom Group, associated with former members of Conti, has for several years been conducting pure data-theft extortion campaigns against legal and financial firms in the US.
The negotiation pattern used by Kairos also fits known models. When internal chats from Black Basta leaked in February 2025, analysis revealed a deal with an almost identical arc: from a $1.5 million demand, through a $100,000 counteroffer, to a final $1 million payment.
Current status of Kairos
According to the study, the Kairos leak site is currently inactive, and the group’s last known victim was recorded in June 2026. However, the wallet associated with the operation, according to blockchain analysis, was still active in May 2026. A non-functioning leak site does not necessarily mean the group has ceased operations.
In the negotiations, Kairos stated that initial access was obtained by guessing a password. For data exfiltration, they reportedly used temporary links from the temp.sh service.
Recommendations for municipal and government networks
- Multi-factor authentication (MFA) — must be required for all accounts with remote access. Kairos claimed they entered the network simply by guessing a password.
- Anomaly monitoring — track repeated failed login attempts, unusually large outbound data transfers, and connections to one-time file-sharing services (temp.sh and similar).
- Data segmentation — legal and HR documents and citizens’ personal data should be isolated from the general network.
- Public response plan — prepare a statement template and notification procedures before an incident occurs.
- Approach to “proof of deletion” — a list of filenames is not proof that data has been destroyed. There is no guarantee behind any attacker’s promise to delete stolen data.
The Kairos case illustrates a concrete shift in the economics of extortion: encryption becomes optional when the mere theft of sensitive data is enough. For organizations with limited security budgets — especially municipal entities — top priorities should be MFA on all points of entry, segmentation of personal-data storage, and monitoring for large outbound transfers. Paying a ransom provides no guarantees: the “receipt” for data deletion is written by the same hand that stole it.