Kairos Group Demands $1 Million in Novel Data-Theft Extortion Case
A U.S. government entity reportedly paid $1 million to the Kairos group to prevent the leak of stolen data, highlighting a new extortion tactic that bypasses traditional ransomware encryption.

A U.S. government entity has paid approximately $1 million to a group known as Kairos to prevent the public release of sensitive data stolen from its network. This incident, detailed in a case study by Rakesh Krishnan for Ransom-ISAC, suggests a significant evolution in extortion tactics, as analysis of negotiation chats and blockchain transactions indicates Kairos may not be a traditional ransomware gang. Crucially, there is no evidence that the group encrypted any victim data, instead relying solely on the threat of data exfiltration and leak.
The victim, identified through file names such as "Union.xlsx" and "prosecutors office," appears to be Union County, Ohio. The county, which serves a population of roughly 70,000, had previously disclosed a ransomware incident in May 2025 affecting 45,487 residents and staff, with stolen records including Social Security numbers, financial details, fingerprints, and passport information. While neither the county nor Kairos has officially confirmed this connection, the evidence strongly suggests it. If confirmed, the county government made a substantial, undisclosed payment.
Negotiations between Kairos and the victim reportedly spanned about a month. Kairos initially demanded $3 million, claiming to possess over 2 terabytes of data comprising approximately 1.6 million files. The county's offers began at $100,000 and gradually increased to $255,000 and then $430,000. Kairos eventually lowered its demand to a final figure of $1 million, setting a strict deadline for payment to avoid data publication.
The ransom payment, approximately 9.44 Bitcoin valued at around $1 million at the time, was made on June 13, 2025. Within hours of receiving the funds, Kairos began moving them through a series of wallets, with traces leading to deposit addresses associated with cryptocurrency exchanges Bybit, OKX, and the Russian service BELQI. While this tracing provides investigative leads, it does not directly identify the perpetrators. The victim received a "proof of deletion" file, but this only confirms the attacker's prior access to the data, not its actual destruction.
The shift away from encryption is a growing trend in the cybercriminal landscape. Sophos reported in 2025 that only about half of ransomware attacks still involve encryption, a six-year low. Groups like Silent Ransom Group have previously focused on pure data-theft extortion without deploying encryptors. The Kairos negotiation pattern also mirrors that seen in other major ransomware operations, such as Black Basta, where leaked chats revealed similar negotiation arcs from initial demands to final payments.
Despite the apparent success of this extortion, Kairos itself appears to have gone quiet, with its last known victim surfacing in June 2026 and its leak site now offline. However, a wallet linked to the operation was still active in May 2026, indicating that the group may still be operational, even if less visible. The threat posed by such groups remains significant, particularly for entities with limited resources.
For organizations, especially smaller government entities, the lessons from this incident are stark and familiar. Implementing multi-factor authentication is crucial, as Kairos reportedly gained initial access by guessing a password. Vigilance against suspicious login activity, large data transfers, and the use of temporary file-sharing links is essential. Furthermore, critical data repositories like legal and HR records should be isolated from general network access. Finally, any promise of data deletion by attackers should be treated with extreme skepticism, as payment does not guarantee data destruction.