US Agency Pays $1M Bitcoin Ransom to Kairos in Major Data Extortion Case

July 4, 2026
US Agency Pays $1M Bitcoin Ransom to Kairos in Major Data Extortion Case
  • A U.S. government entity paid about $1 million in Bitcoin to the Kairos extortion group in June 2025 after a data-extortion incident, with Kairos leveraging data theft and publication pressure rather than encryption to drive the ransom.

  • The payment, totaling roughly 9.44 BTC, followed a negotiation that began with a $3 million demand and progressed over about a month, with threats of publishing stolen files and countdowns used to pressure the victim.

  • The victims were tied to a May 2025 ransomware incident that affected roughly 70,000 residents and staff in Union County, Ohio, making it a large-scale public-sector data breach.

  • After the payment, Kairos provided a 238 MB file labeled as a “proof of deletion,” though investigators warn such proofs are not verifiable evidence that data was truly destroyed.

  • The broader reliability of proof-of-deletion artifacts is questionable, underscoring uncertainty about whether the attackers actually removed the data.

  • This case reflects a shift in ransomware toward “ransomware without encryption,” where the leverage is the threatened release of stolen data rather than encryption of systems.

  • Industry analyses indicate that data-theft extortion is becoming more common, with only about half of attacks in 2025 involving encryption.

  • Blockchain tracing shows the $9.44 BTC ransom moving through multiple wallets and exchanges, providing investigative leads but not definitive attribution to individuals.

  • Practical lessons for governments and organizations include enabling multi-factor authentication, monitoring for repeated failed logins and large outbound transfers, segmenting sensitive data, having a pre-planned public response, and treating delete promises with skepticism.

  • Kairos’ public activity appears to taper, with the leak site down and the last known victim reported in June 2026, even as funds continued to move through wallets into exchanges into mid-2026.

  • Kairos claimed to hold over 1.6 million files and 2 TB of data, but there is no evidence a ransomware encryptor was used, illustrating that the incident was characterized as data theft rather than traditional ransomware.

  • The Union County incident involved a May–May 2025 data breach affecting about 45,487 people, including Social Security numbers, fingerprints, and passport details.

Summary based on 3 sources


Get a daily email with more Tech stories

More Stories