A U.S. Government Agency Quietly Paid $1 Million to a Group That May Not Even Be Ransomware

A leaked negotiation chat and blockchain trail suggest Kairos runs pure data-theft extortion — no file-locking, just threats to leak.

ThreatVectr Newsdesk· 3 min read
Full-frame edge-to-edge photoreal news-editorial image of a dimly lit government office corridor at night, a single glowing monitor visible through a half-open
Share

Key points

  • A U.S. government entity paid roughly $1 million to an extortion group calling itself Kairos to stop stolen files from being published.
  • The payment was traced on the public blockchain, the shared ledger that records every cryptocurrency transaction.
  • Researcher Rakesh Krishnan, writing for Ransom-ISAC, found no evidence Kairos ever actually locked victims' files with ransomware.
  • The case was pieced together from a leaked negotiation chat between the victim and the criminals.
  • Kairos appears to run a data-theft-only extortion model, threatening to leak stolen data rather than encrypt systems.

An unnamed U.S. government entity handed roughly $1 million to a criminal group known as Kairos to keep stolen files off the internet. The payment, and the negotiation that led to it, were reconstructed by researcher Rakesh Krishnan in a case study for Ransom-ISAC, an information-sharing group that tracks ransom incidents.

The story was first surfaced by The Hacker News.

What makes this one strange is what Kairos apparently didn't do.

So what actually happened to the victim?

The criminals broke into the agency's systems and stole files. They did not, as far as Krishnan can tell, deploy ransomware — the malicious software that scrambles a victim's files and demands payment for the key to unlock them. Instead, Kairos simply took copies of sensitive data and threatened to publish it unless the agency paid.

That distinction matters. A traditional ransomware attack leaves an organisation unable to work: computers frozen, patient records inaccessible, payroll stuck. This attack left the lights on. The pressure came entirely from the threat of a leak.

The victim paid anyway.

How was the payment tracked?

Krishnan followed the money on the blockchain, the public ledger where every Bitcoin and similar cryptocurrency transaction is permanently recorded. Anyone with the right tools can trace where coins move, even if they cannot always name the person holding the wallet. The trail confirmed a payment of roughly $1 million flowing to wallets tied to Kairos.

A leaked chat log between the negotiators filled in the rest: the demands, the haggling, the eventual agreement.

Is Kairos actually a ransomware gang?

Probably not, in the strict sense. Krishnan's analysis found no confirmed case of Kairos encrypting a victim's files. The group behaves more like a pure extortion crew — steal data, threaten to leak, collect payment.

This model is spreading. Several established gangs have quietly dropped the file-locking step because it is technically fiddly, draws more attention from law enforcement, and often isn't needed. If the stolen data is embarrassing or regulated enough, the threat of publication does the work on its own.

Why did a government entity pay?

The case study does not name the agency, and U.S. federal guidance generally discourages ransom payments. But paying is not illegal in most cases, and agencies facing the exposure of sensitive citizen data — think benefits records, investigation files, personnel information — sometimes make the call that a leak is worse than a wire transfer.

That calculation is exactly what groups like Kairos are betting on.

What should ordinary people take from this?

If you have ever handed personal information to a U.S. government office, this specific case is a reminder that the risk of your data ending up in criminal hands is not hypothetical. Practical steps: freeze your credit with the three major bureaus if you haven't already, turn on multi-factor authentication — the second login step that texts or app-prompts a code — for any account tied to government services, and treat unexpected emails claiming to be from an agency with suspicion. Real agencies do not ask for passwords or payment by email.

The Kairos wallets remain visible on-chain. Whether the group re-uses them, or law enforcement moves against them, is the next chapter.

© 2026 Threat Vectr