A U.S. government entity paid about $1 million after stolen files were threatened with public release in a data theft extortion case tied to Union County, Ohio, according to a case study by Ransom-ISAC based on leaked negotiations and blockchain tracing.
KEY FACTS
- Victim The chat and file names point to Union County, Ohio.
- Payment About 9.44 bitcoin, worth roughly $1 million at the time, was sent on June 13, 2025.
- Method The attackers appear to have used data theft and extortion rather than file encryption.
- Impact The county later said data from residents and staff was taken, including sensitive records.
The report says the group calling itself Kairos opened with a $3 million demand and claimed to hold more than 2 terabytes of data. Over about a month, the county moved from a $100,000 offer to $430,000 before the final demand settled at $1 million.
Union County said in a public notice that it detected ransomware in May 2025 and later notified 45,487 residents and staff that their data had been taken. The disclosure said the exposed records included Social Security numbers, financial details, fingerprints and passport numbers.
Blockchain tracing in the report said the bitcoin was split and moved through several wallets toward deposit addresses tied to Bybit, OKX and BELQI. The case study also said Kairos provided a proof of deletion file, but that file did not verify that the stolen data was erased.
The report described Kairos as a pure extortion operation with no evidence of encryption or a decryption tool. It also said the group claimed it gained access by guessing a password, underscoring the role of basic account security in these intrusions.
WHY IT MATTERS
The case shows how data theft alone can be used to pressure public agencies into paying large sums, even without traditional ransomware encryption. It also highlights the value of multifactor authentication, access controls and incident response planning for local governments.

