U.S. Government Agency Paid $1M to Data Extortion Group Kairos


U.S. Government Agency Paid $1M to Data Extortion Group Kairos

Pierluigi Paganini
July 04, 2026

A U.S. government agency paid $1M to Kairos, a group focused on data theft and extortion rather than ransomware, Ransom-ISAC reports.

A new case study from Ransom-ISAC reconstructs a complete data-extortion incident involving a U.S. government body and a threat actor called Kairos, using a leaked negotiation transcript and blockchain tracing of the ransom payment. The victim paid roughly $1 million in Bitcoin on June 13, 2025. The uncomfortable detail: Kairos has never been confirmed to have deployed ransomware at all.

“On 19 May 2025, a U.S. government entity was reportedly targeted by Kairos. Kairos later claimed the access was obtained through a brute-force credential attack. The entity was listed on Kairos’s victim site on 21 May 2025.” reads the report published by Ransom-ISAC.

Rather than deploying encryption, Kairos appears to have focused on data exfiltration and public-exposure pressure. The group claimed to hold more than 1.6 million files — 1,602,775 files in total — and 2 TB of data before making contact.”

No encryptor, no locker binary, no decryption key demand. What Kairos appears to have done is steal data, then charge the victim not to publish it. As the Ransom-ISAC report states:

“No ransomware sample, encryptor, or locker binary has been obtained or confidently linked to Kairos.” continues the reprot. “On the available evidence, the U.S. government body paid a seven-figure ransom to a threat actor whose “ransomware group” status remains unverified and whose leverage appears to have been based on data-theft and publication pressure rather than demonstrated ransomware capability.”

The victim called the incident ransomware. The word no longer means what most people think it means.

The report doesn’t name the victim, citing privacy concerns. The transcript does the naming itself. The requested sample files include documents called Union.xlsx, “1 union co psi template.doc,” and a final archive delivered post-payment called union.rar. The victim describes itself as “a small county with limited resources.”

The timeline fits: in May 2025, Union County, Ohio, disclosed it had detected a network intrusion and later notified 45,487 residents and employees that their data had been stolen, covering most of a county of roughly 70,000 people. The stolen records included Social Security numbers, financial details, fingerprints, and passport numbers. Neither the county nor Kairos has confirmed the connection.

I conducted personal research and I can confirm that Union Count stated cybercriminals accessed the County’s network between May 6 and 18, 2025 and stole some data. By August 25, officials had finished reviewing the breach and had begun notifying affected individuals. However, the Government entity at the time confirmed a ransomware attack, as reported in the data breach notification letter.

“On May 18, 2025, the County detected ransomware on our computer network. As soon as we learned this, we immediately launched an investigation with assistance from nationally recognized third-party cybersecurity and data forensics consultants to secure our network and investigate the scope of the incident. We also alerted federal law enforcement.” reads the data breach notification letter sent to the impacted individuals and shared with the Maine General Attorney. “Through our investigation, we determined that the cyber criminals accessed our network from May 6, 2025 through May 18, 2025, and took some County data.”

Kairos listed the victim on its leak site on May 21, 2025, two days after first contact. The group claimed to hold more than 2 terabytes of data, specifically 1,602,775 files. Kairos later claimed the access was obtained through a brute-force credential attack, a single-guessed password.

The transcript covers 28 days of back-and-forth. Kairos opened at $3 million. The victim countered at $100,000 on June 4, then raised to $255,000, then $430,000. Kairos dropped to $2 million, held there briefly, then issued a hard deadline: $1 million by Friday or the files go public. The victim paid. The final payment was 33 times the first offer and 2.3 times the highest recorded counter.

Kairos ran a disciplined negotiation. Responses came within minutes to a few hours throughout the 28-day window, suggesting an actively monitored channel. The pressure tactics were textbook: a countdown timer, escalating deadlines, selective reference to the most sensitive material. Kairos specifically highlighted a folder marked “prosecutors office,” warning that leaking it would help criminals avoid prosecution and cause a public outcry.

“Kairos maintained leverage by controlling deadlines, publication threats, and proof-of-access artefacts. The affected entity’s responses are consistent with an organization buying time while legal, leadership, financial, and communications decisions were coordinated.” continues the report. “Phrases such as “we appreciate your patience” and “we respect the effort you’ve made” should be read as channel-preservation language, not endorsement of the attacker’s conduct.”

Public-sector incident response requires coordinating legal, financial, leadership, and communications teams simultaneously, and the transcript shows exactly that process playing out in slow motion under deadline pressure.

After payment, Kairos sent over a “proof of deletion” file: a 238 MB text file listing filenames. That list proves the attacker once had the files. It proves nothing about whether they were destroyed. There was no hash verification, no cryptographic binding, no exit-code logging. The same list could be generated by running a script against a copy of the stolen data sitting on a different server. As Ransom-ISAC’s report puts it directly:

“The provided “proof of deletion” was not technically verifiable and should not be treated as evidence that the stolen data was destroyed.” continues the report.

Paying to make stolen data disappear is an act of faith, and the receipt is written by the thief.

Krishnan traced the approximately 9.44 BTC from the Kairos payment wallet through its subsequent movement. Within hours of receipt, the funds split into two branches: 6.61 BTC went to a wallet Ransom-ISAC calls the “Main Guy,” and 2.83 BTC went to a “Helper” wallet. The Main Guy branch moved 6.50 BTC toward a ByBit deposit address three days later. The Helper branch fragmented through a series of intermediate wallets before touching addresses associated with OKX and a Russian exchange called BELQI.

The entire active transfer window ran from June 16 at 15:52 UTC to 19:26 UTC, three hours and 34 minutes. The speed and structure of the movement, rapid splitting into branches, repeated use of the same OKX deposit addresses, routing toward a Russian exchange, reflect deliberate operational tradecraft. The report identifies four high-confidence wallet addresses associated with the payment flow and linked to ByBit, OKX, and BELQI. These are investigative leads, not attribution. Exchange records and subpoenas are what convert blockchain tracing into named individuals.

Kairos first appeared in November 2024 and has listed 88 victims on its leak site. The group operated through a Tor onion address and an email contact at [email protected], a naming convention that echoes LockBit’s “LockBitSupp” handle, though Ransom-ISAC notes that’s a branding similarity only.

In January 2026, infrastructure hunting identified a likely backend server for the Kairos leak site resolving to 62.182.81.38, hosted on Virtual Systems LLC in Ukraine, an ASN that has appeared in previous malware and Cobalt Strike-related infrastructure reporting. The server was later found displaying a seizure notice attributed to Ukraine’s Security Service Cyber Department. The leak site is now down. A wallet tied to the operation was still moving funds as recently as May 2026. A seized website and an active wallet are two different things.

The broader shift Kairos represents is real and documented. The operational disruption is limited. The legal, reputational, and public-trust pressure is severe, particularly for a county government holding law enforcement records.

“This case illustrates how data-only extortion can create significant pressure even without encryption or operational disruption. Kairos used file-access claims, publication threats, staged concessions, and deadline pressure to secure a successful seven-figure ransom payment from a U.S. government body.” concludes the report. “The blockchain activity provides useful investigative leads, including rapid fund splitting and exchange touchpoints, but it should not be treated as standalone attribution. The strongest finding is operational: public-sector organizations need pre-authorized escalation paths, negotiation support, egress monitoring, and a clear understanding that attacker deletion claims are not independently verifiable.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Kairos)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


The first NAS that I built using an old laptop started out as a simple Plex server meant to keep my movies and shows all in one place and easy to access from any device. But like most homelab setups, it didn’t stay simple for long. One service turned into two, a few more Docker containers got added here and there, and before I knew it, my experimental Plex server turned into a full-blown homelab device.

All these self-hosted apps have completely changed how I use the device, as its job has been pushed well beyond the role of a simple media box. If you’d like to expand your horizons, here are some of the most useful services that you can run on your own home server.

I automatically back up all my photos with Immich

Keep every photo safely stored and synced without relying on Google Photos

Immich was one of the first self-hosted apps I installed after setting up the usual media stack. You can think of it as Google Photos, but instead of backing up your images to Google’s cloud, your home server acts as the cloud instead. The app is shockingly user-friendly, and while it doesn’t match all of Google Photos’ advanced features in scope or quality, it gets close.

Just like Google Photos, it backs up all photos from my phone (and my wife’s) completely automatically, pretty much as soon as I take them if I’m connected. It also organizes my photos and generates memories and flashbacks at the top of my timeline, reminding me of photos I took on this day in previous years, which is a heartwarming Google Photos feature beloved by many.

It can even read location metadata from my photos to create an interactive world map showing where I took them. This is incredibly cool, and since traveling is one of my favorite things ever, it feels super inspiring and makes me want to take even more photos abroad.

The best part about Immich is that my photos stay completely private, as they live on my own home server and not in the cloud. I don’t have to pay for a subscription either.

Admittedly, you do trade some redundancy by bearing the responsibility of your own backups, but that’s part of the self-hosting fun.



















Quiz
8 Questions · Test Your Knowledge

Interesting and unique NAS use cases
Trivia challenge

Beyond basic backups — how well do you know the surprising things a NAS can do?

MediaHome LabBackupNetworkingAutomation

Which popular open-source media server software is commonly self-hosted on a NAS to stream personal video libraries to any device?

Correct! Plex is one of the most popular apps for turning a NAS into a personal Netflix-style streaming server. It organizes your media with artwork and metadata and can transcode video on the fly for different devices and connections.

Not quite — the answer is Plex. While Kodi and VLC are great media players, Plex is specifically designed as a client-server platform that lets you stream your NAS library to phones, smart TVs, and browsers from anywhere in the world.

What is the name of the widely recommended data protection strategy that involves keeping three copies of data, on two different media types, with one copy offsite?

Correct! The 3-2-1 backup rule is a cornerstone of data protection strategy. A NAS plays a central role by acting as the second on-site copy, while cloud sync or an offsite drive satisfies the third copy requirement.

Not quite — the answer is the 3-2-1 backup rule. RAID is often mistaken for a backup, but it only protects against drive failure, not accidental deletion or ransomware. The 3-2-1 rule is the gold standard precisely because it covers multiple failure scenarios.

A NAS running a hypervisor or container platform like Docker can host a Pi-hole instance. What does Pi-hole primarily do?

Correct! Pi-hole acts as a DNS sinkhole, blocking known ad-serving and tracking domains before they ever reach your devices. Hosting it on a NAS via Docker means it runs 24/7 without needing a dedicated Raspberry Pi.

Not quite — the answer is that Pi-hole blocks ads at the DNS level. Rather than installing an ad blocker on every single device, Pi-hole protects your entire network, including smart TVs and phones, by intercepting ad domain requests before any data is loaded.

Many NAS manufacturers offer dedicated surveillance software packages. What is the primary function of these applications?

Correct! Synology Surveillance Station and QNAP’s QVR Pro are examples of NAS-based NVR (Network Video Recorder) solutions. They let you manage multiple IP cameras, set motion-triggered recording, and review footage without paying for a cloud subscription.

Not quite — the answer is managing and recording IP camera footage. A NAS can replace a dedicated NVR appliance entirely, storing days or weeks of footage locally. This is a compelling use case since it avoids ongoing cloud storage fees while keeping footage on hardware you control.

Which self-hosted application, commonly run on a NAS, automatically downloads TV show episodes and movies by integrating with torrent or Usenet indexers?

Correct! Radarr handles movies and Sonarr handles TV shows — together they form the backbone of a self-hosted media automation stack. They monitor release groups, grab new episodes automatically, and pass files directly to your Plex or Jellyfin library.

Not quite — the answer is Radarr and Sonarr. While Bazarr handles subtitles and Prowlarr manages indexers, Radarr and Sonarr are the core apps for automating movie and TV downloads respectively. They integrate with your NAS download client and media server for a seamless pipeline.

A NAS can be configured as a VPN server so that remote users can securely access the local network. Which VPN protocol, known for being modern and extremely fast, is supported by newer NAS operating systems like Synology DSM?

Correct! WireGuard is a modern VPN protocol praised for its lean codebase, high speeds, and strong encryption. Synology added WireGuard support to DSM, making it easier than ever to securely tunnel into your home network from anywhere without exposing your NAS directly to the internet.

Not quite — the answer is WireGuard. PPTP is outdated and considered insecure, while OpenVPN and L2TP/IPSec are reliable but more resource-intensive. WireGuard achieves better throughput with less overhead, which matters on the modest CPUs found in many NAS devices.

Nextcloud is a self-hosted platform frequently deployed on a NAS. Which major commercial cloud service does it most directly aim to replace?

Correct! Nextcloud provides file sync, document editing, calendar, contacts, and video calls — a direct alternative to Google Drive and Google Workspace. Running it on a NAS means your data never leaves your own hardware, which is a major privacy and cost advantage.

Not quite — the answer is Google Drive and Google Workspace. Nextcloud replicates the full productivity suite experience: shared folders, collaborative document editing, and mobile sync. When paired with a NAS, it becomes a powerful private cloud that rivals Google’s offering without any subscription fees.

Some photographers and videographers use a NAS as the central hub for a collaborative editing workflow. Which protocol, natively supported on macOS and optimized for high-bandwidth file access, makes a NAS behave like a fast local drive for video editing?

Correct! For video editing workflows, SMB Multichannel (or historically AFP on older Macs) allows a NAS to deliver the kind of sustained throughput needed to scrub through high-bitrate footage without copying files locally first. Pair this with a 2.5GbE or 10GbE network and a NAS can rival a dedicated SAN for small creative teams.

Not quite — the answer is SMB with Multichannel (or AFP on legacy Macs). FTP and WebDAV are too slow and latency-prone for real-time editing. SMB Multichannel bonds multiple network connections to boost throughput, which is why NAS vendors like Synology specifically market this feature to creative professionals editing 4K and 6K footage.

Challenge Complete

Your Score

/ 8

Thanks for playing!

I use AdGuard Home for DNS-level network control

Block junk traffic before it even reaches your network

AdGuard Home dashboard being displayed on a computer monitor. Credit: Ismar Hrnjicevic / How-To Geek

I recently upgraded my home network with a very cheap Wi-Fi 7 router, and unfortunately, it didn’t quite solve the all-too-common annoyances I’ve had with my day-to-day internet usage. Pages still took several seconds to load, and I continued experiencing random hangs, even on a wired connection.

After doing some digging, I learned that the issue was most likely related to how the router handles DNS forwarding, and that I could fix it by letting my NAS handle it using a network-based DNS filter called AdGuard Home. After setting it up, I noticed a massive improvement in browsing speed.

On top of offloading DNS forwarding requests from my router to my much more powerful NAS, AdGuard Home reduces how much work the router has to do in the first place by blocking ads, trackers, malware, and similar bloat. It blocks over 40% of all DNS requests, so you can probably imagine the kind of heavy lifting this little app is doing for my network in the background.

Don’t just take my word for it—you should try running a DNS sinkhole and see the improvement with your own eyes.

Seagate Expansion 6TB External Hard Drive HDD.

Storage Capacity

6TB

Brand

Seagate

The Seagate Expansion 6TB external hard drive is an excellent starting point if you are building a laptop NAS, offering plenty of capacity for backups and media. It is affordable, easy to set up, and fast enough over USB 3.0 for most home server use cases.


I run my smart home through Home Assistant

A central place to control and automate all your smart devices

A phone running Home Assistant next to a laptop NAS. Credit: Ismar Hrnjicevic / How-To Geek

I don’t have a ton of smart home devices, but the ones I do use require full and reliable control at all times. I use a bunch of smart bulbs and plugs from different brands to control lamps around my home, and for a long time, I used Google Home to manage them.

However, I recently discovered the beauty of Home Assistant, which is light enough to run inside a Docker container on relatively weak hardware like my laptop. Home Assistant supports almost any smart home protocol, allowing me to connect devices from different brands. It also has advanced automation and routine support that goes well beyond the basics of apps like Google Home.

Some Home Assistant aficionados sneer at the idea of running Home Assistant inside a Docker container instead of Home Assistant OS, but the beauty of this setup is that you still get the essential Home Assistant experience while keeping your home server flexible. Maybe I’ll upgrade to VMs one day, but for my current needs, this setup works just fine!


The Home Assistant logo with Octocon RGB LED lights on the wall in the background


I Found the Best Way to Install Home Assistant

Sometimes, I forget I even have Home Assistant running because it’s so reliable now.

I host a private fitness tracking setup instead of relying on Strava

A self-hosted alternative for logging runs without sharing data

Endurain running on a computer, showing fitness data. Credit: Ismar Hrnjicevic / How-To Geek

Strava is an incredibly popular fitness app that I used briefly to log my outdoor runs. It’s built to act as a social platform, meaning it heavily encourages sharing your exercises with others, complete with GPS tracking data. Sending sensitive data like this to a third-party platform just rubs me the wrong way, so I replaced it with an open-source app that keeps my workouts offline.

To keep all my workouts logged in one place, I use Endurain. It’s basically a self-hosted alternative to Strava that you and other people connected to your NAS can use to log workouts while keeping the data contained within your own system.

It’s an awesome little app that gives me full ownership of my workout metrics while keeping the sensitive data offline.

I run my own cloud storage with Nextcloud

Your own private Google Drive-style storage

Nextcloud interface on a laptop screen with two Raspberry Pi devices in the background. Credit: Jordan Gloor / How-To Geek

Nextcloud offers a whole suite of services that you typically associate with Google, like contacts, calendars, and Google Drive. I was particularly interested in that last one, as I’ve already got Immich for my photos and don’t really mind using my Google account for everything else.

However, Google Drive is something I’ve been wanting to replace for years, and Nextcloud has finally helped me achieve that. Instead of a measly 15 GB limit (which is shared across my entire Google account), I’ve got terabytes of available space on my attached external hard drive.

I finally have a self-hosted cloud storage solution that I can back up and sync all my important files to, and it’s super convenient for transferring files between my devices.

To top it all off, I get significantly faster upload and download speeds as well, which is a massive plus considering my severely limited 200Mbps (download) / 15Mbps (upload) internet plan.


A laptop with an external hard drive operating as a NAS.


I tried to ditch cloud storage for self-hosting. Three drives and a mini PC later, I gave up

There are time sucks, and then there are time sucks.

Your Plex server can be more than just a streaming box

Once you start experimenting with your media server by running other self-hosted services on it, you’ll begin to understand just how versatile a simple NAS can actually be. I now treat my little laptop NAS as an experimental playground, constantly swapping out services and trying out new apps, just to see what actually sticks in day-to-day use—which is what self-hosting is all about!



Source link