A newly published investigation has offered an unusual look inside a cyber extortion case in which a U.S. government organization is believed to have paid about $1 million after attackers stole sensitive data from its network. The analysis, conducted by Rakesh Krishnan for Ransom-ISAC, draws on leaked negotiation conversations and cryptocurrency transaction records to reconstruct how the incident unfolded.
The case stands out because the attackers, operating under the name Kairos, do not appear to have used traditional ransomware. According to the report, investigators found no evidence that the group encrypted computer systems or provided victims with decryption keys. Instead, the attackers allegedly copied confidential files and demanded payment in exchange for keeping the stolen information private.
Although the report does not identify the victim by name, several details point toward Union County, Ohio. File names referenced during the negotiations included "Union.xlsx," "1 union co psi template.doc," and an archive labelled "union.rar." One collection of files reportedly came from the county prosecutor's office, with the attackers claiming that publishing those records could interfere with criminal cases. During the discussions, the victim also described itself as a small county government with limited financial resources.
The reported incident closely matches a cyberattack disclosed by Union County in May 2025. At the time, county officials announced that personal information belonging to 45,487 current and former employees and residents had been exposed. The compromised records included Social Security numbers, financial information, passport details, fingerprints, and other sensitive data. Neither Union County nor Kairos has publicly confirmed that the leaked negotiations relate to that breach.
The leaked conversations show that the negotiations continued for nearly a month. Kairos initially demanded $3 million, claiming to possess more than two terabytes of stolen information containing around 1.6 million files. The victim responded with progressively higher offers, beginning at $100,000 before increasing to $255,000 and later $430,000. The attackers eventually reduced their demand to $1 million while imposing strict payment deadlines and warning that the most sensitive files would be released if an agreement was not reached.
According to the investigation, the payment was made on June 13, 2025, using approximately 9.44 Bitcoin, valued at roughly $1 million at the time. Blockchain analysis traced the cryptocurrency through several digital wallets before portions of the funds reached addresses linked to the cryptocurrency exchanges Bybit and OKX, as well as the Russian cryptocurrency service BELQI. While blockchain records allow investigators to follow the movement of digital assets, they do not automatically reveal the identities of those controlling the wallets.
The report also questions the value of paying cybercriminals in exchange for promises to delete stolen information. Kairos reportedly supplied what it described as proof that the files had been removed. However, the evidence only showed that the group once possessed the data and could not verify that every copy had actually been destroyed. Security experts have long warned that organizations have no reliable way to confirm whether stolen information has been deleted after a ransom payment.
Beyond the individual case, the investigation reflects a wider change in the cybercrime ecosystem. An increasing number of threat groups are abandoning file encryption and relying solely on data theft and extortion to pressure victims into paying. Sophos reported that only about half of the ransomware incidents it investigated during 2025 involved data encryption, the lowest proportion recorded in six years. Groups such as the Silent Ransom Group have also carried out extortion campaigns targeting organizations by threatening to leak stolen information without deploying ransomware.
The Kairos negotiations also resemble tactics seen in previous cyber extortion cases. Researchers examining leaked internal communications from the Black Basta ransomware operation found similarly prolonged bargaining, with initial multimillion-dollar demands eventually ending in substantially lower settlements. Earlier leaks involving the Conti ransomware group provided comparable insight into how attackers negotiate payments behind the scenes.
Although Kairos' public leak site is no longer online and its last publicly known victim was recorded in June 2026, investigators observed cryptocurrency activity linked to the group's infrastructure as recently as May 2026. The continued movement of funds suggests that the disappearance of a leak site does not necessarily indicate that an operation has ceased.
The case offers several practical lessons for government agencies and other organizations. Strengthening multi-factor authentication, monitoring repeated failed login attempts, watching for unusually large outbound data transfers, separating highly sensitive records from other systems, and preparing a communication strategy before an incident occurs can all reduce the impact of cyber extortion. The investigation also reinforces a point repeatedly emphasized by incident responders: once data has been stolen, there is no dependable way to verify an attacker's promise that it has been permanently deleted.
