Cybercrime

A US Government Body Paid Cybercriminals $1 Million

A US Government Body Paid Cybercriminals $1 Million
Photo by Jon Sailer / Unsplash

Leaked negotiation logs and payment tracing published by Ransom-ISAC show a public-sector victim paid a seven-figure ransom over data-leak threats alone. Circumstantial evidence points to Union County, Ohio.

A US government body paid a $1 million ransom to the extortion group Kairos in June 2025 after the attackers claimed to have stolen more than 2 TB of data, according to a case study published by Ransom-ISAC on July 3, 2026. The analysis, based on a leaked negotiation transcript and blockchain tracing, was conducted by researcher Rakesh Krishnan for the information-sharing group.

The most striking finding is not the payment itself. It is who got paid. Ransom-ISAC says no encryptor, locker binary, or ransomware sample has been linked to Kairos, and that the group should not be treated as a confirmed ransomware operation. On the available evidence, a government entity paid seven figures to a data-extortion brand whose leverage rested entirely on the threat of publishing stolen files.

A four-week squeeze

According to the transcript, Kairos made contact on May 19, 2025, claiming to hold roughly 1.6 million files and demanding $3 million. The victim was listed on the group's leak site two days later.

The negotiation followed a familiar arc. The victim, which described itself in the chat as "a small county with limited resources," opened with a $100,000 counter-offer on June 4. Kairos rejected it, dropped its demand to $2 million, and kept the deadline pressure on. The victim raised its offer to $255,000, then $430,000. On June 9, Kairos set a final price of $1 million with a Friday deadline and a threat of immediate publication. The payment was sent on June 13, 2025.

In return, the victim asked for proof of deletion, a full file list, and an explanation of how the attackers got in. Kairos claimed the intrusion came from a brute-force credential attack, a claim Ransom-ISAC could not verify. The "proof of deletion" was a 238 MB text log listing more than 1.3 million files. The researchers note it carries no cryptographic verification and could have been generated from a copy of the data. It proves the attackers had the files, not that they destroyed them.

Pay or leak

Blockchain tracing shows the ransom split into two branches within hours of receipt. The larger branch, 6.61 BTC, moved toward a ByBit deposit address. The smaller branch fragmented through intermediary wallets and repeatedly touched addresses associated with OKX and BELQI, a Russian exchange. Ransom-ISAC stresses these exchange touchpoints are investigative leads, not attribution to individuals.

The apparent victim

Ransom-ISAC does not name the affected entity. But among the sample files the victim requested during negotiations was a press release about a fatal motorcycle crash involving a resident of Dublin, Ohio. Union County, Ohio, which includes part of Dublin, disclosed in September 2025 that it detected ransomware on its network on May 18, 2025, one day before the Kairos chat logs begin, with attacker access dating back to May 6.

The county's notice says the compromised data included residents' Social Security numbers, driver's license and state ID numbers, financial account information, dates of birth, fingerprint information, medical information, payment card information, and passport numbers. The notice makes no mention of a ransom payment, and neither the county nor Ransom-ISAC has confirmed the connection. There is also a discrepancy between the sources: the county describes a ransomware attack, while Ransom-ISAC observed no encryption in the available material.



International Cyber Digest

Get the ICD Newsletter

Subscribe for source-forward cyber news, OSINT notes, breach updates, and analysis. Have evidence or a lead? Send it to ICD.

Subscribe Send a tip