US Government Body Paid $1M to Hackers Who Never Locked a Single File
A leaked negotiation chat and a Bitcoin trail expose a pure data-theft extortion, with the clues pointing to a small Ohio county.
July 4, 2026 – 9:53 pm
TL;DR:
A US government entity paid about $1m to stop stolen files from being published, according to a case study by researcher Rakesh Krishnan for Ransom-ISAC. The analysis draws on a leaked negotiation chat and blockchain analysis.
The group behind the deal calls itself Kairos, but it may not be a ransomware gang in any traditional sense. Krishnan found no encryptor, no locker, and no demand for a decryption key—just stolen files and a price for keeping them private.
The Case Study
The case study does not name the victim, but file names in the proof-of-theft samples, including an archive called union.rar, point to Union County, Ohio. Neither the county nor Kairos has confirmed the connection.
Clues Align with Real Incident:
In May 2025, Union County detected ransomware on its network and later notified 45,487 people that data including Social Security numbers, fingerprints, and passport details had been taken. If identified, a county of roughly 70,000 residents made a $1m payment it never publicly disclosed.
Anatomy of a $1M Deal
The negotiation ran for about a month. Kairos opened at $3m and claimed to hold more than 2TB of data across 1.6 million files. The county countered at $100,000 and inched up to $430,000 before agreeing on a final deadline of $1m. The victim paid on June 13, 2025, ten times its opening offer.
The payment of roughly 9.44 bitcoin matched about $1m at that week’s market prices. It was split and routed through a chain of wallets towards deposits at Bybit, OKX, and BELQI.
Tracing Leads Over Identities:
This kind of tracing gives investigators leads rather than identities. Criminal crews have spent years refining how they launder cryptocurrency through mules, mixers, and loosely regulated exchanges.
Data-Theft Extortion Without Encryption
Union County described the incident as ransomware, yet nothing in the Kairos case was ever encrypted. A growing share of what still carries that label now skips lockers entirely and uses the stolen data itself as the pressure point—a playbook aimed at the private sector too.
Sophos reported in 2025 that only around half of ransomware attacks involve encryption.