Skip to content
feed: live about
>_ 0dayNews
ransomware
● Breaking

Kairos took $1M from a U.S. government entity — and never encrypted a file

Ransom-ISAC's new case study confirms a ~$1M payment (9.44 BTC) to the Kairos crew on June 13, 2025. Krishnan's review found no encryption at any point — data-theft extortion only, tracked in ransomware feeds anyway.

Kairos took $1M from a U.S. government entity — and never encrypted a file
Photo: Gerd Fahrenhorst / Wikimedia Commons · CC BY 4.0
airgap · Published · 2 min read

A U.S. government entity paid the Kairos crew approximately $1 million on June 13, 2025 — 9.44 BTC at the time — to keep 2+ terabytes of stolen files offline. Confirmed by Rakesh Krishnan of Ransom-ISAC in a case study published July 4 and summarized by The Hacker News the same day. The victim is not officially named. Krishnan’s writeup points at Union County, Ohio; neither the county nor Kairos have confirmed. Treat the attribution as high-confidence-not-official.

The load-bearing detail: Kairos never encrypted anything. Krishnan reviewed the operation end-to-end and found no evidence that Kairos ever locked a single machine, at this victim or any prior one. Every listing on the group’s leak site was pure data-theft extortion. This is tracked as ransomware in most feeds. Structurally it isn’t.

Confirmed timeline

  • May 2025 (approx.): Initial access. Krishnan attributes it to a guessed password. Confidence: reported.
  • May–June 2025: Roughly one-month negotiation window. Initial demand $3 million against claimed 2+ TB / 1.6 million files.
  • County counter-offers, in sequence: $100,000 → $255,000 → $430,000.
  • Final settlement: $1 million. Kairos demanded payment “by Friday” or public release.
  • June 13, 2025: Payment sent — two Bitcoin transactions totaling 9.44 BTC.
  • Post-payment: Kairos delivered “proof of deletion” files. Authenticity unverified.

The negotiation chat itself leaked; Krishnan built the case study from that plus the on-chain trail. The chat log is the primary artifact, not a reconstruction.

Blockchain trail

Payment split into two transactions. Funds moved through a series of intermediary wallets and consolidated toward three destinations: Bybit, OKX, and Russian exchange BELQI. That’s the standard laundering shape for extortion revenue in 2025 — CEX cash-out at the terminal end, no mixer step observed. Krishnan’s writeup carries the full hop-by-hop; we’re not reproducing wallet addresses here.

Current status of the group

  • Leak site: offline as of publication.
  • Last known victim listing: June 2026.
  • Aliases: none currently tracked. Kairos appears to have operated under a single brand for its full run.

Whether the operators have retired, rebranded, or gone quiet ahead of a relaunch is unconfirmed. Treat accordingly.

Why this matters

Ransom-ISAC’s core point is a taxonomy one: the label “ransomware” is doing work it shouldn’t when the operation never encrypts. Kairos ran the extortion side of the playbook — leak site, countdown, negotiated payment — without ever executing the encryption side. That distinction changes the defensive posture. Immutable backups and rapid restore, which are the load-bearing controls against encryption-based ransomware, don’t help against a group that never locks a file. Data-theft extortion is a data-loss-prevention and access-control problem first. The initial access here was a guessed password on a government network — not a novel exploit, not a supply-chain compromise, a guessed password.

If a Kairos-shaped operation is on your threat model, the honest questions are:

  • Do you have visibility on 2 TB of egress leaving a single system in a month? Krishnan documents the operator using temp.sh for exfil staging. That’s a specific IOC worth alerting on if you aren’t already.
  • Are the credentials on your externally reachable services strong enough that “guessed” is not a plausible initial-access path? For the affected entity, they were not.
  • Does your incident-response plan distinguish between encryption events and pure data-theft events? The playbooks diverge sharply from hour one.

Sources

Found this useful? Share it.