U.S. County Quietly Paid $1 Million to Data Extortionists Who Never Encrypted a File

A U.S. county paid $1 million in Bitcoin to the Kairos group after it stole 2TB of data but deployed no ransomware. Leaked chats and blockchain records reveal a month of tense negotiations that ended in silence purchased, not systems restored. The case exposes the shift to pure data extortion.
U.S. County Quietly Paid $1 Million to Data Extortionists Who Never Encrypted a File
Written by Lucas Greene

A small county government in Ohio handed over roughly $1 million in Bitcoin last year. The money went to a group called Kairos. The group never locked any systems. It simply took the data and threatened to release it.

The transaction stayed hidden until researchers pieced together a leaked chat log and followed the cryptocurrency trail. No public disclosure of the payment ever surfaced from the victim. Yet the evidence points squarely at Union County.

Rakesh Krishnan laid out the full sequence in a detailed case study published by Ransom-ISAC. The analysis draws on negotiation transcripts and blockchain records. It shows how extortion can succeed without a single piece of ransomware deployed.

Kairos first reached out on May 19, 2025. “Hi. We have more than 2tb (1602775 files) at our disposal,” the initial message read. The group demanded $3 million to prevent publication. It offered a sample archive and invited the victim to pick 10 files for verification.

The county pushed back. It started with an offer of $100,000 on June 4. Talks dragged on for nearly a month. Kairos gradually lowered its ask. By June 9 the group set a firm $1 million demand with a Friday deadline. “If we do not see this amount on Friday on our wallet, your files will be immediately published on our site,” it warned.

Payment cleared on June 13. About 9.44 BTC moved to a wallet controlled by Kairos. The funds split quickly. One branch headed toward ByBit. Another touched OKX and the Russian-linked BELQI exchange. Krishnan traced the flows in detail. The money moved fast. Some wallets stayed active into 2026.

Union County had already gone public about a data incident months earlier. It notified 45,487 residents and staff after discovering unauthorized access between May 6 and 18, 2025. The county described itself in negotiations as a small operation with limited resources. File names in the chat, including references to “Union.xlsx” and prosecutor office documents, matched its operations.

But this was never about encryption. Investigators found no ransomware sample, no encryptor binary, no locker. “No ransomware sample, encryptor, or locker binary has been confidently linked to Kairos,” the Ransom-ISAC report states. The group relied entirely on stolen information and the fear of its exposure.

That fear carried weight. Kairos highlighted a “prosecutors office” folder. Leaking it, the group said, would let criminals dodge responsibility and spark public outrage. “We understand perfectly well how valuable information we have in our hands,” one message noted. The county felt the pressure. It raised its offers step by step to $430,000 before conceding to the final million.

After the payment, Kairos sent what it called proof of deletion. The file contained more than 1.3 million lines listing documents with dates stretching back decades. Nothing in it allowed independent verification. No cryptographic hashes tied the list to the original data. “The provided ‘proof of deletion’ was not technically verifiable,” Krishnan wrote. The promise not to attack again or share the files rests on trust alone.

Kairos emerged in November 2024. Its leak site listed 88 victims before going offline. The group’s infrastructure resolved to a server in Ukraine at one point. That backend was later seized by local authorities. Yet the associated cryptocurrency wallet continued moving funds as recently as May 2026, according to Security Affairs.

The incident fits a larger pattern. Traditional ransomware groups have reduced their use of encryption. Sophos reported in 2025 that only about half of attacks still involved locking files. The lowest rate in six years. Pure data theft now drives many operations. Groups such as the Silent Ransom collective operate the same way. They exfiltrate information, skip the encryption step, and focus on reputational damage.

Swati Khandelwal covered the case for The Hacker News. She noted warning signs that organizations often miss. Repeated failed logins. Large outbound data transfers. Use of temporary file-sharing services with odd links. Kairos claimed it gained entry through brute-force password guessing. The county apparently lacked multifactor authentication on critical accounts.

Small government entities face particular risks. They hold sensitive resident records, court documents, and employee data. Budgets for security remain tight. Insurance policies sometimes cover ransom payments, though federal guidance discourages them. The county’s decision to pay without public mention of the seven-figure sum raises questions about transparency and compliance.

Blockchain analysis reveals more than just the payment total. The rapid splitting of funds into separate streams suggests professional money laundering. One path led toward Cumberland DRW, a known over-the-counter desk. Others funneled through multiple cryptocurrency exchanges. Such patterns help investigators but rarely lead to quick arrests.

And the implications stretch beyond this one county. Public-sector organizations store data that carries legal and political weight. A leak from a prosecutor’s office could compromise ongoing cases. Exposure of resident records invites identity theft on a mass scale. Attackers know this. They calibrate demands accordingly.

Krishnan and his contributors at Ransom-ISAC emphasized the mechanics. Staged concessions. Tight deadlines. Selective sharing of sample files. Rapid responses during talks. The entire exchange lasted 28 days. Messages often arrived within minutes or hours. Professional negotiators on the victim side might have bought more time. The county appears to have handled talks directly.

Experts have long warned of this evolution. Leaked chats from groups like Black Basta and Conti show similar haggling. Initial multimillion-dollar asks drop sharply under sustained pushback. Yet victims still pay because the alternative feels worse. In this instance the alternative was a public data dump on a dark-web site.

Union County did not respond to requests for comment on the payment. Its earlier breach notification focused on the discovery and notification process. It offered credit monitoring to affected individuals. No mention was made of any ransom or extortion demand.

The case arrives as federal agencies push harder against ransomware. The Cybersecurity and Infrastructure Security Agency maintains stopransomware.gov as a central resource. It urges reporting to the FBI’s Internet Crime Complaint Center or Secret Service field offices. Payment details rarely become public. This one surfaced only because the chat log leaked.

So what should counties and similar entities do differently? Enable multifactor authentication everywhere possible. Segment networks to limit lateral movement. Monitor for unusual outbound traffic. Prepare incident response plans that include legal and communications teams from the start. And recognize that deletion promises come with no guarantee.

Kairos may represent the new normal more than the exception. Its leak site is down. The group has gone quiet in recent months. But copycats will emerge. The tactics require little technical sophistication once initial access is gained. Data exfiltration tools are cheap and effective. The leverage comes from the information itself.

Payment flowed on a Friday in June 2025. By Monday the chat ended with assurances of no further contact. The county likely breathed easier. Its systems were never locked. Operations continued without the chaos of decryption. Yet the data had been copied. Its permanent disappearance cannot be proven.

That uncertainty defines this new phase of cyber extortion. Organizations pay not to regain access but to buy silence. Attackers sell the absence of a leak rather than a decryption key. The economics favor the criminals. The risks fall on the public sector and its residents.

Researchers will continue to dissect these incidents. Blockchain trails grow colder with time but still yield patterns. Chat logs, when they surface, reveal negotiation strategies worth studying. And government entities may face increasing pressure to disclose payments that affect taxpayer funds.

For now this million-dollar transfer stands as a concrete example. A U.S. county paid to keep 1.6 million files from public view. No files were encrypted. No systems went offline. The extortion worked anyway.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us