A U.S. government entity reportedly paid about $1 million in Bitcoin to the Kairos group after attackers allegedly stole more than 2 TB of data and threatened to publish it. A Ransom-ISAC case study said the incident showed no confirmed signs of file encryption, a ransomware locker, or any decryption demand, indicating a pure data-theft extortion operation rather than a traditional ransomware attack. Negotiations reportedly lasted about a month, with Kairos reducing its demand from $3 million to a final payment of roughly 9.44 BTC.
The victim was not formally identified, but chat logs and file-name clues cited in the reporting align with Union County, Ohio, which disclosed a 2025 breach affecting 45,487 residents and staff, though neither the county nor Kairos confirmed the connection. Blockchain tracing found the payment was quickly split and routed toward deposit addresses linked to Bybit, OKX, and BELQI, offering investigative leads but not definitive attribution. The case underscores the rise of encryption-less extortion, where organizations face pressure to pay despite having no technical way to verify that stolen data was actually deleted.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Blockchain tracing found the 9.44 BTC payment was quickly split and routed toward deposit addresses or wallets associated with Bybit, OKX, and BELQI. The reporting says these flows provided investigative leads but did not by themselves prove attribution.
Union County, Ohio disclosed a May 2025 incident affecting 45,487 residents and staff/employees. Later reporting said details in leaked Kairos negotiation materials aligned with this disclosed intrusion, though the linkage was not officially confirmed.
After a roughly month-long negotiation in which Kairos reportedly lowered its demand from $3 million, the victim paid about $1 million, or roughly 9.44 BTC, to prevent stolen files from being leaked. The case was described as a data-theft extortion incident with no confirmed evidence of file encryption or a decryption demand.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
securityaffairs.com
Open sourcethehackernews.com
Open sourceransom-isac.org
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.