HomeMalware & ThreatsU.S. Government Entity Pays Kairos $1 Million in Data Theft Extortion Case

U.S. Government Entity Pays Kairos $1 Million in Data Theft Extortion Case

Published on

spot_img

In a concerning development within the realm of cybersecurity, a U.S. governmental entity has reportedly made a substantial payment—approximately $1 million—to prevent the public release of sensitive files that were stolen from its network. This scenario has been examined in detail in a case study authored by Rakesh Krishnan for Ransom-ISAC, which utilized a leaked negotiation chat and blockchain analysis to unravel the events leading to this payment.

The group responsible for this extortion, which identifies itself as Kairos, is notable for its unusual approach. Unlike typical ransomware operations that encrypt data to demand payment for decryption keys, Krishnan found no evidence that Kairos ever encrypted any machines. Instead, their methodology was more straightforward: they stole files and threatened to publish them unless a ransom was paid. This raises significant questions about the evolving nature of cyber threats, moving away from encryption-based tactics to direct data leverage.

Though the identity of the victim has not been publicly confirmed, clues in the leaked chat suggest the involvement of Union County, Ohio. The names of stolen documents such as “Union.xlsx” and “union.rar” provide compelling indications pointing towards this assumption. The county has described itself as resource-constrained, and the attackers notably focused their threats on a specific folder labeled “prosecutors office,” emphasizing that releasing its contents could aid criminals in evading prosecution.

This alleged breach harkens back to an incident reported by Union County in May 2025, when officials revealed they had detected ransomware activity within their network. They subsequently notified approximately 45,487 residents and staff that their confidential information had been compromised, affecting the majority of the county’s population of around 70,000. The stolen data encompassed a range of sensitive materials, including Social Security numbers, financial records, fingerprints, and passport information.

Although neither the county nor Kairos has explicitly acknowledged any connection, if such a link is validated, it would mean that a government body paid a significant sum—around $1 million—that was never publicly declared. The Hacker News has reached out to the Union County Commissioners’ Office for comments regarding this matter, promising updates should any response be received.

The negotiation process between Union County and Kairos extended over the course of approximately a month. Initially, Kairos demanded a staggering $3 million in exchange for the return of over 2 terabytes of data, comprising approximately 1.6 million files. The county’s starting offer was set at $100,000, which gradually increased, reaching up to $430,000 by the end of negotiations. Ultimately, Kairos settled at $1 million with a strict deadline, warning that failure to comply would result in the public exposure of the stolen files.

This payment, equivalent to about 9.44 bitcoin at the time, was traced by Krishnan through multiple wallets shortly after being made. Within hours of the transaction, the funds were divided and funneled through a complex network of wallets connected to crypto exchanges, including Bybit, OKX, and a Russian service known as BELQI. This type of tracing may provide investigators with leads, although it does not guarantee the identification of individuals involved.

The aftermath of such payments is fraught with uncertainty. In this case, Kairos allegedly provided a document labeled “proof of deletion,” yet the accompanying list of file names only indicated that the attacker had access to these files at some point. Paying to erase stolen data can be seen as an act of blind faith, since the receipt for this “service” is essentially issued by the perpetrator.

Union County has labeled the incident as a ransomware attack, a term that has become almost synonymous with cybercrime. However, in the case of Kairos, no data was encrypted—highlighting a significant shift in the landscape of such cyber threats. Reports indicate that only about half of ransomware incidents in 2025 involved any form of encryption, marking a notable decline. Some groups have entirely abandoned encryption, relying solely on data theft for extortion.

The negotiation tactics employed by Kairos mirror those seen in other recent incidents. For instance, internal communications from the Black Basta group revealed similar patterns of negotiation, often beginning with exorbitant demands and concluding with significantly lower settlement offers—indicative of a familiar cycle within the world of cyber extortion.

While the conspicuous operations of Kairos appear to have quieted down, with their leak site inactive and their last known victim surfacing in mid-2026, indications suggest that their financial operations persisted, with linked wallets still exhibiting activity as recently as May 2026. This serves as a stark reminder that a dark leak site does not necessarily equate to the dissolution of a criminal enterprise.

For local governments navigating the increasingly treacherous waters of cybersecurity, the lessons drawn from such incidents are vital yet mundane. Activation of multi-factor authentication remains essential, as attackers like Kairos have demonstrated proficiency in bypassing standard security measures through basic password guessing. Surveillance for repeated unauthorized access attempts, substantial outbound data transfers, and illicit file-sharing links are also crucial strategies for safeguarding sensitive data.

Additionally, it is recommended that legal, human resources, and citizen records be compartmentalized from broader network access. Additionally, a well-considered public statement protocol should be developed in advance of any potential crises, and any assertions made by cybercriminals regarding the deletion of stolen data should be viewed with a healthy dose of skepticism.

Source link

Latest articles

Microsoft Exchange SSRF Vulnerability Allows Low-Privileged Attackers to Access Arbitrary Files

A significant vulnerability in Microsoft Exchange Server, designated as CVE-2026-45504, has recently come to...

Citrix Addresses NetScaler Vulnerabilities with New Patches – CyberMaterial

Citrix Urgently Addresses Vulnerabilities in NetScaler Products In a recent development, Citrix has moved to...

Verified X Sponsored Ad Distributes Mac Malware and ConsentFix Compromises Microsoft 365 Accounts

New Malware Campaign Targets Mac Users and Microsoft 365 Accounts In a recent study conducted...

Cisco Unified CM Vulnerability Exploitation

Cisco Systems Confirms Active Exploitation of Unified Communications Manager Vulnerability Cisco Systems has issued an...

More like this

Microsoft Exchange SSRF Vulnerability Allows Low-Privileged Attackers to Access Arbitrary Files

A significant vulnerability in Microsoft Exchange Server, designated as CVE-2026-45504, has recently come to...

Citrix Addresses NetScaler Vulnerabilities with New Patches – CyberMaterial

Citrix Urgently Addresses Vulnerabilities in NetScaler Products In a recent development, Citrix has moved to...

Verified X Sponsored Ad Distributes Mac Malware and ConsentFix Compromises Microsoft 365 Accounts

New Malware Campaign Targets Mac Users and Microsoft 365 Accounts In a recent study conducted...