Kairos took $1M from a U.S. government entity — and never encrypted a file
Ransom-ISAC's new case study confirms a ~$1M payment (9.44 BTC) to the Kairos crew on June 13, 2025. Krishnan's review found no encryption at any point — data-theft extortion only, tracked in ransomware feeds anyway.
A U.S. government entity paid the Kairos crew approximately $1 million on June 13, 2025 — 9.44 BTC at the time — to keep 2+ terabytes of stolen files offline. Confirmed by Rakesh Krishnan of Ransom-ISAC in a case study published July 4 and summarized by The Hacker News the same day. The victim is not officially named. Krishnan’s writeup points at Union County, Ohio; neither the county nor Kairos have confirmed. Treat the attribution as high-confidence-not-official.
The load-bearing detail: Kairos never encrypted anything. Krishnan reviewed the operation end-to-end and found no evidence that Kairos ever locked a single machine, at this victim or any prior one. Every listing on the group’s leak site was pure data-theft extortion. This is tracked as ransomware in most feeds. Structurally it isn’t.
Confirmed timeline
- May 2025 (approx.): Initial access. Krishnan attributes it to a guessed password. Confidence: reported.
- May–June 2025: Roughly one-month negotiation window. Initial demand $3 million against claimed 2+ TB / 1.6 million files.
- County counter-offers, in sequence: $100,000 → $255,000 → $430,000.
- Final settlement: $1 million. Kairos demanded payment “by Friday” or public release.
- June 13, 2025: Payment sent — two Bitcoin transactions totaling 9.44 BTC.
- Post-payment: Kairos delivered “proof of deletion” files. Authenticity unverified.
The negotiation chat itself leaked; Krishnan built the case study from that plus the on-chain trail. The chat log is the primary artifact, not a reconstruction.
Blockchain trail
Payment split into two transactions. Funds moved through a series of intermediary wallets and consolidated toward three destinations: Bybit, OKX, and Russian exchange BELQI. That’s the standard laundering shape for extortion revenue in 2025 — CEX cash-out at the terminal end, no mixer step observed. Krishnan’s writeup carries the full hop-by-hop; we’re not reproducing wallet addresses here.
Current status of the group
- Leak site: offline as of publication.
- Last known victim listing: June 2026.
- Aliases: none currently tracked. Kairos appears to have operated under a single brand for its full run.
Whether the operators have retired, rebranded, or gone quiet ahead of a relaunch is unconfirmed. Treat accordingly.
Why this matters
Ransom-ISAC’s core point is a taxonomy one: the label “ransomware” is doing work it shouldn’t when the operation never encrypts. Kairos ran the extortion side of the playbook — leak site, countdown, negotiated payment — without ever executing the encryption side. That distinction changes the defensive posture. Immutable backups and rapid restore, which are the load-bearing controls against encryption-based ransomware, don’t help against a group that never locks a file. Data-theft extortion is a data-loss-prevention and access-control problem first. The initial access here was a guessed password on a government network — not a novel exploit, not a supply-chain compromise, a guessed password.
If a Kairos-shaped operation is on your threat model, the honest questions are:
- Do you have visibility on 2 TB of egress leaving a single system in a month? Krishnan documents the operator using temp.sh for exfil staging. That’s a specific IOC worth alerting on if you aren’t already.
- Are the credentials on your externally reachable services strong enough that “guessed” is not a plausible initial-access path? For the affected entity, they were not.
- Does your incident-response plan distinguish between encryption events and pure data-theft events? The playbooks diverge sharply from hour one.
Sources
- Rakesh Krishnan, Kairos Ransomware — Data Extortion Case Study, Ransom-ISAC, July 4, 2026.
- U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case, The Hacker News, July 4, 2026.
Found this useful? Share it.


