Small U.S. County Paid $1M Ransom to Kairos Group
A small U.S. county paid $1 million in Bitcoin to the Kairos extortion group after a May 2025 intrusion that reportedly stole about 2TB of data.
A small U.S. county paid $1 million in Bitcoin to the Kairos extortion group following a May 2025 security intrusion that the attackers said removed roughly 2 terabytes of data. The ransom payment was made on June 13 after several weeks of negotiations, according to a leaked transcript and materials reviewed by Ransom-ISAC.
The negotiation record shows the extortionists initially demanded $3 million in cryptocurrency and claimed to have scraped about 1.6 million files from the county’s environment after gaining access through a brute-force attack. Over a three-week exchange, the county’s offers rose from $100,000 to $430,000 before the parties agreed to the $1 million payment to meet a hard deadline.
Ransom-ISAC, which reviewed the transcript and related evidence, classified the incident as an extortion attack rather than a file-encrypting ransomware event. The group noted the attackers provided selective “proof-of-deletion” listings that could reflect deletion of a copy of stolen files rather than removal of original records, and that the attackers did not provide a way to independently verify deletion. The listings were consistent with a file-server scrape, Ransom-ISAC said.
The negotiation materials do not name the victim, describing it instead as “a small county with very limited resources.” The affected government appears to be Union County, Ohio, which in September sent a notification to 45,487 people saying personal information was exposed in the May incident. The county’s notice listed affected data including names, dates of birth, driver’s license and state ID numbers, passport numbers, Social Security numbers, financial account details, fingerprint information, medical information, and payment card details.
The transcript shows the attackers controlled public exposure through deadlines and regularly presented proof-of-access artifacts while pressing for payment. The county increased its offers during negotiations and accepted the ransom when faced with a final deadline.
Ransom-ISAC wrote, “The affected entity’s responses are consistent with an organization buying time while legal, leadership, financial, and communications decisions were coordinated.” The group added that the attackers’ control of deadlines and proof artifacts influenced the pace and content of the talks.
Security organizations caution that paying a ransom does not guarantee data deletion or prevent future disclosures and that claimed proof-of-deletion can be difficult to validate without independent forensic verification. The negotiation record offers an uncommon public view of how a small local government managed internal coordination while negotiating a high-value extortion demand.




