A US government entity paid nearly $1 million to keep stolen files from being leaked, according to a new case study by Rakesh Krishnan for Ransom-ISAC, based on leaked conversation chats and the remaining traces of blockchain payments.
Strange: The group that took the money calls itself kairosBut it may not be a ransomware gang at all. Krishnan found no indication that it had ever locked a single machine: no encryptor, no locker, no demand for a decryption key. The threat was easy. Steal files, then accuse the victim of not publishing them.
Krishnan did not name the victim, but the chat points to Union County, Ohio. The piracy proof files have names like union.xlsx, 1Union CO PSI Template.doc, and a final archive called union.rar. The victim describes himself as a small county with limited resources. The attacker relies specifically on a folder marked “Prosecutor’s Office”, warning that leaking it would help criminals avoid charges.
The clues match the real case. In May 2025, Union County, Ohio said it detected ransomware on its network and later notified 45,487 residents and employees that their data had been taken, affecting most of the county of approximately 70,000. Stolen records included everything from Social Security and financial details to fingerprints and passport numbers.
Neither the county nor Kairos have confirmed the connection. But if true, a county government paid nearly $1 million that has never been publicly disclosed. Hacker News has contacted the Union County Commissioners Office for comment. This story will be updated with any response.
The talks continued for about a month. Kairos started with $3 million and claimed to have over 2 terabytes of data, approximately 1.6 million files. The county started with $100,000, rising to $255,000 and then $430,000. Kairos dropped to $2 million, then set a hard final number: $1 million, paid by Friday, or the files would be made public.
| On-chain payment: Approximately 9.44 BTC lands in a Kairos-linked wallet. |
It used the usual levers: a countdown timer, strict deadlines, and the threat of dumping the most sensitive folders first. The county paid ten times its first offering on June 13, 2025.
The payment was approximately 9.44 bitcoins, worth approximately $1 million at the time. Krishnan traced the money from there. Within hours, it was split into two and pushed through a series of wallets to a deposit address linked to crypto exchanges Bybit, OKEx and a Russian service called BELQI.
This type of detection work is done by the investigators, not the names. And money did not buy anything concrete. Kairos sent a “proof of deletion” file, but the list of file names shows only that the attacker once had the files, not that the original files were erased. Paying for stolen data to disappear is an act of trust, and the receipt is written by the thief.
Union County called it ransomware, the word gets out to everyone, but in the Kairos case, nothing was locked. This is the real change: much of what is still called ransomware now abandons encryption and uses stolen data as a pressure point.
Sophos reported in 2025 that only half of ransomware attacks still included any encryption, the lowest rate in six years. Some crews have dropped it altogether. Silent Ransom Group, a Conti offshoot, has spent years running pure data-theft extortion against US law and finance firms without any encryptors.
Kairos Chat also fits a familiar conversation pattern. When Black Basta’s internal chats were leaked in February 2025, analysis of the messages revealed that a deal went from a demand of $1.5 million to a counter of $100,000 to a payment of $1 million, almost the same arc. Those chats, and the Conti leak before them in 2022, explain how researchers now reconstruct how these bargains were actually accomplished.
Kairos itself has become silent. The leak site has been closed, and its last known victim was reported in June 2026. But a wallet linked to the operation was still carrying money as of May 2026, a reminder that a dark leak site is not the same as a dead crew.
For anyone who has run a small government network, the lessons are dull and familiar, which is the point. Turn on multi-factor authentication, as Kairos claimed this was achieved by simply guessing the password.
Note the repeated failed logins, large outbound data transfers, and burner file-sharing links such as the temp.sh address that Kairos uses to transfer files. Keep legal, human resources and civil records isolated from the rest of the network. Have a public statement plan ready before you need it. And any promises to remove stolen data should be considered useless.