U.S. Agency Paid $1M to Kairos Extortion Group


A Ransom-ISAC report says a U.S. government entity paid about $1 million to Kairos after stolen data was used for extortion instead of encryption.

A U.S. government organization paid roughly $1 million in Bitcoin after cybercriminals threatened to leak stolen data, according to a newly published case study that offers a rare look inside an extortion negotiation.

The report, released by Ransom-ISAC, describes an attack carried out by a group known as Kairos. Unlike many high-profile ransomware incidents, the attackers never encrypted the victim’s systems. Instead, they allegedly stole more than two terabytes of sensitive data and used the threat of publishing it to pressure the organization into paying.

Researchers pieced together the timeline using leaked chat logs between the attackers and the victim, along with blockchain records that tracked the cryptocurrency payment.

The victim has not been publicly identified. However, details contained in the leaked conversations including references to file names and the size of the affected organization closely match a cyberattack disclosed by Union County, Ohio, in 2025. Researchers stressed that no official link has been confirmed.

Negotiations reportedly lasted for about a month. Kairos opened with a demand of $3 million, while the victim initially offered $100,000. After several rounds of back-and-forth, the two sides settled on a payment of approximately $1 million, which blockchain records show was transferred as 9.44 Bitcoin on June 13, 2025.

After receiving the payment, the attackers claimed they had deleted the stolen files and provided what they described as proof. Researchers caution that there is no practical way to verify those claims, meaning victims who choose to pay can never be certain their data has actually been destroyed.

The case reflects a broader shift in the cybercrime landscape. More extortion groups are moving away from encrypting computers and instead focusing on stealing sensitive information. That approach allows attackers to pressure victims without deploying traditional ransomware, while still demanding large payouts.

For organizations, the distinction makes little difference. Even when computers remain fully operational, the threat of exposing confidential files can create enough pressure to force difficult decisions. As attacks increasingly focus on data theft rather than system disruption, protecting sensitive information has become just as important as defending against ransomware itself.

Related articles :


Reports are sourced from official documents, law-enforcement updates, and credible investigations.

Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.