County Paid $1 Million to Stop Leak of Stolen Files, Case Study Shows
Today
rewrite this article as a news article with no sub headings or bullets and give it a title: A U.S. government entity paid about $1 million to keep stolen files from being leaked, according to a new case study by Rakesh Krishnan for Ransom-ISAC, built on a leaked negotiation chat and the blockchain trail the payment left.
The odd part: the group that took the money calls itself Kairos, but it may not be a ransomware gang at all. Krishnan found no sign that it ever locked a single machine: no encryptor, no locker, no demand for a decryption key. The threat was simpler. Steal the files, then charge the victim not to publish them.
Krishnan does not name the victim, but the chat points to Union County, Ohio. The proof-of-theft files carry names like Union.xlsx, 1 union co psi template.doc, and a final archive called union.rar. The victim calls itself a small county with limited resources. The attacker leans on one folder in particular, marked "prosecutors office," warning that leaking it would help criminals dodge charges.
The clues fit a real case. In May 2025, Union County, Ohio, said it detected ransomware on its network and later notified 45,487 residents and staff that their data had been taken, affecting most of the county of roughly 70,000. The stolen records ran from Social Security and financial details to fingerprints and passport numbers.
Cybersecurity
Neither the county nor Kairos has confirmed the connection. But if it holds, a county government paid about $1 million it never publicly disclosed. The Hacker News has contacted the Union County Commissioners' Office for comment. This story will be updated with any response.
The negotiation ran for about a month. Kairos opened at $3 million and claimed it was holding more than 2 terabytes of data, some 1.6 million files. The county started at $100,000, crept up to $255,000, then $430,000. Kairos dropped to $2 million, then set a hard final number: $1 million, pay by Friday, or the files go public.
The payment on-chain: about 9.44 BTC lands in the Kairos-linked wallet.
It used the usual levers: a countdown timer, tight deadlines, and threats to dump the most sensitive folders first. The county paid on June 13, 2025, ten times its first offer.
The payment was roughly 9.44 bitcoin, worth about $1 million at the time. Krishnan traced the money from there. Within hours, it was split in two and pushed through a chain of wallets toward deposit addresses tied to the crypto exchanges Bybit, OKX, and a Russian service called BELQI.
That kind of tracing hands investigators leads, not names. And the money bought nothing solid. Kairos sent over a "proof of deletion" file, but a list of file names shows only that the attacker once had the files, not that the originals were wiped. Paying to make stolen data disappear is an act of faith, and the receipt is written by the thief.
Union County called what happened to it ransomware, the word everyone reaches for, but in the Kairos case, nothing was locked. That is the real shift: much of what still gets called ransomware now skips encryption and uses the stolen data itself as the pressure point.
Sophos reported in 2025 that only about half of ransomware attacks still involve any encryption, the lowest rate in six years. Some crews have dropped it entirely. Silent Ransom Group, a Conti offshoot, has spent years running pure data-theft extortion against U.S. law and finance firms with no encryptor at all.
Cybersecurity
The Kairos chat fits a familiar negotiation pattern, too. When Black Basta's internal chats leaked in February 2025, an analysis of the messages turned up a deal that ran from a $1.5 million demand to a $100,000 counter to a $1 million payment, almost the same arc. Those chats, and the Conti leaks before them in 2022, are how researchers now reconstruct the way these bargains actually get struck.
Kairos itself has gone quiet. The leak site is down, and its last known victim showed up in June 2026. But a wallet tied to the operation was still moving money as recently as May 2026, a reminder that a dark leak site is not the same as a dead crew.
For anyone running a small government network, the lessons are dull and familiar, which is rather the point. Turn on multi-factor authentication, since Kairos claimed it got in by simply guessing a password.
Watch for repeated failed logins, large outbound data transfers, and burner file-sharing links like the temp.sh addresses Kairos used to move the files. Keep legal, HR, and citizen records walled off from the rest of the network. Have a public statement plan ready before you need one. And treat any promise to delete stolen data as worth exactly nothing.
County Paid $1 Million to Stop Leak of Stolen Files, Case Study Shows
A U.S. government entity quietly paid about $1 million to prevent stolen files from being leaked, according to a new case study by researcher Rakesh Krishnan for Ransom‑ISAC. The report is based on a leaked negotiation chat and blockchain records that trace the payment. The attacker, calling itself “Kairos,” may not be a ransomware gang at all. Krishnan found no evidence of encryption, no locked systems, and no demand for a decryption key—only a threat to publish stolen data unless the victim paid.
Krishnan does not name the victim, but the negotiation logs point strongly to Union County, Ohio. The stolen files included names like Union.xlsx, 1 union co psi template.doc, and a final archive labeled union.rar. The victim described itself as a small county with limited resources, while the attacker repeatedly emphasized one folder labeled “prosecutors office,” warning that leaking it would help criminals evade charges.
The clues align with a real incident. In May 2025, Union County reported detecting ransomware on its network and later notified 45,487 residents and staff that their data had been stolen—impacting most of the county’s roughly 70,000 residents. The compromised records included Social Security numbers, financial information, fingerprints, and passport details. Neither Union County nor Kairos has confirmed the connection, but if accurate, the county paid a $1 million extortion it never publicly disclosed. The Hacker News has contacted the Union County Commissioners’ Office for comment.
The negotiation lasted about a month. Kairos began with a $3 million demand, claiming to hold more than 2 terabytes of data—around 1.6 million files. The county countered at $100,000, then raised its offer to $255,000 and later $430,000. Kairos dropped to $2 million before setting a final ultimatum: $1 million by Friday or the data would be released. The county paid on June 13, 2025, ultimately sending roughly 9.44 bitcoin, worth about $1 million at the time.
Krishnan traced the payment on-chain. Within hours, the funds were split and routed through multiple wallets toward deposit addresses linked to Bybit, OKX, and a Russian service called BELQI. The tracing provides investigative leads but no identities. Kairos supplied a “proof of deletion” file, but it merely listed filenames—showing only that the attacker once possessed the data, not that it was erased. Paying to make stolen data disappear remains an act of faith, and the receipt is written by the thief.
Union County described the incident as ransomware, the default term many organizations still use, but the Kairos case involved no encryption at all. That reflects a broader shift. Sophos reported in 2025 that only about half of ransomware attacks still involve encryption, the lowest rate in six years. Some groups have abandoned it entirely. Silent Ransom Group, a Conti offshoot, has spent years extorting U.S. law and finance firms through pure data theft with no encryptor.
The Kairos negotiation also mirrors patterns seen in other leaked chats. When Black Basta’s internal messages surfaced in February 2025, researchers documented a deal that moved from a $1.5 million demand to a $100,000 counteroffer to a $1 million settlement—almost the same trajectory. Leaks from Conti in 2022 similarly revealed how these bargains are struck behind the scenes.
Kairos itself has gone quiet. Its leak site is offline, and its last known victim appeared in June 2026. But a wallet tied to the operation was still active as recently as May 2026, showing that a dark leak site going dark does not necessarily mean the crew is gone.
For small government networks, the lessons are familiar. Enable multi‑factor authentication—Kairos claimed it gained access by guessing a password. Monitor for repeated failed logins, large outbound data transfers, and temporary file‑sharing links like the temp.sh URLs Kairos used. Segregate legal, HR, and citizen records from the rest of the network. Prepare a public‑statement plan before it’s needed. And treat any promise to delete stolen data as worthless.
write a 300 character version
A county government paid about $1M to stop stolen files from leaking, according to a case study pointing to Union County, Ohio. The attacker, Kairos, used pure data‑theft extortion with no encryption. The county paid 9.44 BTC after a month‑long negotiation, but proof of deletion was unverifiable.