Here’s a short, mildly horrifying tale: an American government organization quietly handed over cash to a group calling itself Kairos to prevent stolen files from being published. The kicker? There was no crippling encryption, no ransom locker — just the classic threat: pay up or we post your secrets. A researcher pieced this together from a leaked negotiation chat and the blockchain breadcrumb trail the payment left behind.

What went down

The attackers claimed to be holding terabytes of records and began with a three-million-dollar price tag. The victim — a small county operation with limited tech staff — haggled awkwardly: offers started near $100K, nudged into the mid-hundreds, and eventually the attacker set a hard deadline and a final price. The victim paid on the deadline: roughly one million dollars in crypto (about 9.44 BTC at the time).

Clues in the leaked chat and the file names point toward a county incident that had previously been reported as a cyberattack affecting tens of thousands of people. The stolen material reportedly included highly sensitive items — everything from Social Security numbers to passport data — and a folder labeled something like “prosecutors office,” which the extortionists dangled as their most embarrassing bargaining chip.

After the payment, the funds were split and pushed through a chain of wallets and on to deposit addresses associated with a few well-known crypto exchanges and services. Tracing those flows gives investigators useful leads but not instant identifications. The attackers also provided a “proof of deletion” file — basically a receipt written by the thief — which only shows they once had the files, not that they actually erased them.

The most notable bit: there was no sign Kairos ever encrypted any machines. This is part of a larger shift where some crews skip encryption entirely and rely on threat-of-exposure alone — pure data-theft extortion. Paying to make data vanish is an act of faith; the receipt is still written by the person who stole your stuff.

Practical lessons (boring but useful)

  • Enable multi-factor authentication everywhere you can — the attackers claimed entry came from simple password guessing.
  • Alert on repeated failed logins and unusually large outbound transfers; those are often the first signs of a breach.
  • Isolate sensitive departments (legal, HR, citizen records) from general network shares so a single compromise can’t vacuum everything up.
  • Be suspicious of temporary file-sharing links and other odd exfil channels; they’re frequently how files leave a network.
  • Have a public statement plan ready before you need one; surprise and silence make things worse.
  • Never treat a promise to delete stolen data as reliable — a digital “trust me” from a criminal is still a trust-free zone.
  • Keep good backups, patch regularly, and train staff so phish and weak passwords don’t become your headline.

Short version: paying might stop an immediate dump, but it doesn’t buy certainty. The modern extortion playbook sometimes skips the flashy encryption stunt and goes straight for the sensitive files. If you run a small government network, patch the basics, harden access, and assume that any deletion promise is worth exactly nothing — which, admittedly, is not how anyone wants to run a county IT shop, but it will save you headaches (and possibly millions).