A U.S. government entity has allegedly paid around $1 million to the group known as Kairos in a data-theft extortion case, as detailed in a case study by Rakesh Krishnan for Ransom-ISAC. This payment was made to avoid the disclosure of sensitive files, based on leaked negotiation chats and a blockchain payment trail.
Details of the Extortion
The negotiation process lasted approximately one month, beginning with Kairos demanding $3 million for the return of over 2 terabytes of data, which included around 1.6 million files. The victim, identified as a small county in Ohio, initially offered $100,000, gradually increasing their offer to $430,000 before settling on $1 million. The payment, made in 9.44 bitcoin, was completed on June 13, 2025.
Nature of the Attack
Interestingly, the Kairos group did not employ traditional ransomware tactics, as there was no evidence of file encryption or demands for decryption keys. Instead, they relied on the threat of leaking stolen files, particularly those from a folder labeled “prosecutors office,” which could potentially aid criminals in evading charges. The files reportedly contained sensitive information, including Social Security numbers and financial details.
Connection to Previous Incidents
While the identity of the victim has not been confirmed, the details align with a previous incident in May 2025, when the county reported a ransomware detection and notified over 45,487 residents about the data breach. The connection between the county and Kairos remains unverified, but if accurate, it indicates a significant undisclosed payment by the county government.
Implications for Security Practices
This incident highlights a shift in extortion tactics, where data theft is increasingly used as leverage without the need for encryption. Experts suggest that organizations, especially small government entities, should enhance their security measures. Recommendations include enabling multi-factor authentication, monitoring for unusual login attempts, and isolating sensitive records from broader network access. The case serves as a reminder that promises of data deletion from attackers should be viewed with skepticism.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.








