Skip to main content
Back to Blog
Threat Intelligence20 min readJuly 3, 2026
RansomwareKairosGovernmentUSANegotiation

Kairos Ransomware: Data-Extortion Case Study Involving a U.S. Government Entity

A leaked negotiation transcript and payment-flow analysis of a successful $1 million ransom payment by a U.S. government body to Kairos — a data-extortion actor whose "ransomware group" status remains unverified — including fund tracing to ByBit, OKX, and BELQI exchange touchpoints.

Rakesh Krishnan

Contributors: Ellis Stannard, Mannie W., Valéry Rieß-Marchive

Note: This report examines a successful ransom payment by a U.S. government body following a Kairos data-extortion incident. The assessment is based on leaked negotiation records and observable payment-flow evidence. Due to privacy concerns, the identity of the negotiator has been masked.

Cover image for the Kairos data-extortion case study

Figure: Cover image for the Kairos data-extortion case study.

Executive Summary

This report examines a successful ransom payment by a U.S. government body following a data-only extortion incident involving Kairos, an actor that should not be treated as a confirmed ransomware group on the available evidence. The available transcript and payment-tracing evidence indicate:

  • Kairos claimed access to more than 2 TB of data, including approximately 1.6 million files.
  • The group's initial demand was $3 million, later reduced to a successful final ransom payment of $1 million.
  • The affected entity's recorded offers increased from $100,000 to $430,000 before Kairos issued a hard deadline.
  • Kairos later claimed the intrusion was achieved through a brute-force credential attack.
  • The provided “proof of deletion” was not technically verifiable and should not be treated as evidence that the stolen data was destroyed.
  • The ransom payment split into multiple branches and touched wallet addresses associated with ByBit, OKX, and BELQI. These exchange touchpoints support further investigation but do not, by themselves, identify individual operators.
  • No ransomware sample, encryptor, or locker binary has been obtained or confidently linked to Kairos. On the available evidence, the U.S. government body paid a seven-figure ransom to a threat actor whose “ransomware group” status remains unverified and whose leverage appears to have been based on data-theft and publication pressure rather than demonstrated ransomware capability.

Introduction

This report analyzes a leaked negotiation transcript and observable payment flow from a successful ransom payment involving a U.S. government body and Kairos. It focuses on attacker tradecraft, negotiation pressure, payment movement, and practical lessons for public-sector organizations.

Importantly, Kairos should not be treated as a confirmed ransomware group on the available evidence. No encryptor sample, locker binary, or independently verified ransomware payload has been obtained in this case. The incident therefore appears to involve payment to an unverified “ransomware” brand operating through data-theft and publication pressure rather than a proven ransomware capability.

Methodology and Source Limitations

This assessment combines a leaked negotiation transcript, attacker-provided artefacts, screenshots, and observable blockchain activity. The negotiation timeline is treated as the strongest evidence source because it is internally consistent and directly tied to the payment sequence. Blockchain observations are used to identify transfer patterns and exchange touchpoints, not to attribute individual operators.

Attacker claims — including the access method, data volume, deletion assurances, and non-retaliation promises — are treated as unverified unless supported by independent evidence. Exchange labels and wallet-clustering observations should be understood as investigative leads that require corroboration from exchange records, subpoenas, or additional off-chain evidence.

Overview of the Kairos data-extortion incident

Figure: Overview of the Kairos data-extortion incident, including claimed data volume, ransom demand, negotiation outcome, and payment-flow highlights.

Background: Reported Security Incident Involving a U.S. Government Entity

On 19 May 2025, a U.S. government entity was reportedly targeted by Kairos. Kairos later claimed the access was obtained through a brute-force credential attack. The entity was listed on Kairos's victim site on 21 May 2025.

Kairos post-payment message claiming brute-force credential attack

Figure: Kairos post-payment message claiming initial access was achieved through a brute-force credential attack.

Rather than deploying encryption, Kairos appears to have focused on data exfiltration and public-exposure pressure. The group claimed to hold more than 1.6 million files 1,602,775 files in total — and 2 TB of data before making contact.

This reflects the broader shift toward data-only extortion, where operational disruption may be limited but legal, reputational, and public-trust pressure can be severe.

Kairos also shared security-practice recommendations and a claimed deletion-file list.

Kairos-provided security recommendations and claimed deletion-file artefact

Figure: Kairos-provided security recommendations and claimed deletion-file artefact shared after payment.

Chat Transcript

The full transcript is preserved below, but the key negotiation milestones are summarized first for readability.

DateSpeakerKey eventAmount / artefact
19 May 2025KairosInitial contact, exfiltration claim, and first demand$3M / output.rar
23–27 May 2025Affected entity / KairosFile review period and sample-file request10 requested files / 1ty.me archive
28–30 May 2025Affected entity / KairosNegotiation begins; victim asks for a more reasonable figureNo offer yet
4 June 2025Affected entityFirst formal counter-offer$100K
6 June 2025Affected entity / KairosVictim increases offer; Kairos reduces demand$255K$2M
9 June 2025Affected entity / KairosFinal negotiation round and hard deadline$430K$1M
13 June 2025Affected entity / KairosPayment sent and accepted$1M
16 June 2025KairosAccess method claimed and final archive sharedBrute force / union.rar

Key takeaway: The negotiation moved from an initial $3M demand to a $1M final payment, with the affected entity's recorded offers rising from $100K to $430K before Kairos issued a hard deadline.

Structured negotiation transcript

TimestampActorEventRaw message
19 May 2025, 04:21Affected entityChannel opened; initial assessment underway.“We are online and evaluating the situation, we will be in touch.”
19 May 2025, 06:58KairosKairos claimed 2 TB / 1,602,775 files and set the opening demand at $3 million.“Hi. We have more than 2tb (1602775 files) at our disposal. We will give you the full list of files we have and give you some time to study it.You can choose up to 10 files from this list and we will send them to you. In order to prevent the publication of data you need to pay 3000000$.”
19 May 2025, 07:13KairosInitial file-list archive shared.temp.sh/gHmWj/output.rar pass: gfrpRD$er@
19 May 2025, 20:21Affected entityAffected entity acknowledged the file list and began review.“We will review the list of files and get back to you”
19 May 2025, 20:37KairosKairos acknowledged the review period.“ok”
20 May 2025, 21:35Affected entityAffected entity continued scope review.“The list you provided is extensive. Our team is working to understand the scope of the affected information. We will be touch.”
20 May 2025, 21:56KairosKairos acknowledged continued review.“Ok”
22 May 2025, 00:26Affected entityAffected entity requested more review time.“We are still in the process of reviewing the list. We will get back to you.”
22 May 2025, 02:04KairosKairos acknowledged.“ok”
23 May 2025, 13:49Affected entityAffected entity used holding language while review continued.“Thank you for your patience. We want to assure you that we are taking this matter very seriously, we are dedicating resources to analyze the situation.”
23 May 2025, 14:23KairosKairos allowed more time but introduced delay pressure.“We realize that the file volume is very large.We can give you some more time to analyze them.But please do not delay the process.”
23 May 2025, 19:48Affected entityAffected entity explained decision-maker availability and set expectation for file selection.“We want to assure you we are actively working on our analysis. Monday is a holiday and most of our decision makers will not be back until Tuesday. We will provide you with our file selection then.”
23 May 2025, 20:27KairosKairos acknowledged.“ok”
27 May 2025, 21:39Affected entityTen sample files requested from the claimed data set.“Incident 101-0069 (280651).pdf
Media Release - Motorcycle Crash Claims the Life of Dublin Resident 9-10-2020.pdf
Sick leave batch 2.12.16.pdf
1095 Audit Dashboard Process Documentation.pdf
Fergus, William - Oath - 2023-03-20.pdf
1 union co psi template.doc
IT Form for new hires.pdf
Connection Fee Assessment Details_2016-01-29.doc
Union.xlsx
Claim form.pdf”
27 May 2025, 23:25KairosSample archive provided.1ty.me/bxIGiuzjr archive pass:Bt6&57r%b5&
27 May 2025, 23:26KairosKairos moved from proof-of-access into payment negotiation.“We have prepared a list of files for you and they are available for download.We asked you to choose files from the list we sent you, but these files with these names are not there. Perhaps you have made a mistake in the name?(IT Form for new hires.pdf,Connection Fee Assessment Details_2016-01-29.doc).There are several files with the same name Union.xlsx and Claim form.pdf in different directories.We suggest we start discussing the deal.How long will it take you to pay and pre-publish the data?”
28 May 2025, 18:50Affected entityAffected entity challenged affordability and asked for a reduced demand.“We may be able to come to an agreement, but your current demand is way more than we have. We are a small county with limited resources. Can you give us a more reasonable number to consider?”
28 May 2025, 19:12KairosKairos referenced sensitive material as leverage and invited a counter-offer.“We have conducted a full audit of your files and we understand perfectly well how valuable information we have in our hands and on this basis we demand such an amount.Do you understand what consequences will lead to the publication of this data? We are particularly interested in the folder “prosecutors office” leakage of data from which will help criminals to avoid responsibility and cause a strong public outcry and undermine confidence in you.We would not like to publish such data and come to an agreement.What is a reasonable amount in your opinion?”
29 May 2025, 21:54Affected entityAffected entity requested time for legal and leadership review.“We understand your position and the sensitivity of the data you’ve referenced. We are currently reviewing with our legal and leadership teams. These are complex decisions that require coordination at multiple levels. We’ll need more time to complete that process. We appreciate your patience while we continue our internal discussions.”
29 May 2025, 22:27KairosKairos requested a firm decision date and warned of leak-site escalation.“We understand your situation, how much time will you need?You should understand that if the process is delayed, we will be forced to announce your organization on our website with a timer.We need an exact date when you can make a payment decision.”
30 May 2025, 20:39Affected entityAffected entity requested until Wednesday for internal approvals.“We understand the urgency and are actively working through internal reviews and approvals. Due to the complexity of the situation and coordination required across departments, we will need at least until Wednesday. We appreciate your patience as we work toward a resolution.”
30 May 2025, 20:54KairosKairos accepted the timing.“Ok.”
4 June 2025, 18:16Affected entityFirst formal counter-offer: $100,000.“We have reviewed the situation with our leadership and financial teams. As a small county with very limited resources, we simply do not have the ability to meet the amount you have proposed. That said, we understand the seriousness of the matter and want to work toward a resolution. The most we have been able to identify at this time is $100,000. We respectfully ask that you consider this offer.”
4 June 2025, 19:11KairosKairos rejected $100,000 and escalated deadline pressure.“You are wasting our time with such offers.We cant accept it.Your files will be a great advertisement on our site and we understand what terrible consequences will await you.You cant hide the data leak.You have two more days to make us a favorable offer.”
5 June 2025, 21:56Affected entityAffected entity kept the channel open and deferred further response.“Please understand we’re not trying to waste anyone’s time. As a small county with limited resources, we’re doing everything possible to address this situation responsibly. We remain committed to finding a resolution and are holding ongoing internal discussions. We will update you tomorrow.”
6 June 2025, 18:04Affected entityCounter-offer increased to $255,000.“After further internal discussions, we have been able to identify $255,000 as a figure we can put forward at this time. Going public would only make resolution more difficult on both sides. We’re sharing this offer in good faith and hope you’ll be willing to continue the conversation.”
6 June 2025, 18:26KairosKairos reduced demand to $2 million while maintaining pressure.“We are willing to give you a discount and will settle for 2 million.We realize that bidding is part of the deal, but lets not drag this process out.Youve seen the documents we have,we also know how important they are to you.Making your documents public will cost you more than $250,000 in damages.You also know how badly your reputation would be damaged.Your negligence could hurt innocent people whose documents you lost.We are very pleased to talk to you,but lets speed up our dialog and move on to more realistic amounts to negotiate.”
6 June 2025, 20:48Affected entityAffected entity deferred further response pending leadership review.“We appreciate you working with us. We’ll need to review your latest response further with our leadership team. Those discussions will continue over the weekend, and we plan to follow up with you on Monday.”
6 June 2025, 21:00KairosKairos set expectation for a stronger Monday offer.“We want to see a really good offer on Monday.Thank you for your understanding.”
9 June 2025, 18:57Affected entityCounter-offer increased to $430,000.“We recognize and respect the effort you have made to move this forward. As a small county and limited resources, we are doing our best to navigate this within what is financially feasible for us. That said, we are committed to finding a resolution and have taken steps internally to increase our offer to $430,000. This reflects a sincere attempt to make progress despite our constraints. We ask that you consider this proposal as part of a continued effort to resolve the matter in a constructive and timely manner.”
9 June 2025, 19:38KairosFinal demand set at $1 million with a Friday deadline.“We asked you not to delay with negotiations and waited for a normal offer.Your situation could be solved today.Our last word is $1M.We give you time till Friday. If we do not see this amount on Friday on our wallet,your files will be immediately published on our site.”
9 June 2025, 19:39KairosBitcoin payment wallet provided.bc1q0zkms9vuhp767q6yp3t4tj8fkellxz5h3dxgvl
12 June 2025, 18:43Affected entityAffected entity requested deliverables tied to the $1 million payment.“Please confirm for $1,000,000 you will provide us with: proof of deletion, a complete list of all files taken, and tell us how you got in.”
12 June 2025, 19:06KairosKairos shared another file list archive.temp.sh/paLne/output.rar archive pass:Tb6NtGtb6b%%.We duplicate the list of files for you.”
12 June 2025, 19:08KairosKairos claimed deletion and confidentiality assurances.“We guarantee complete removal of your documents,we are committed to keeping our communication and transaction confidential.”
13 June 2025, 19:37Affected entityPayment preparation confirmed.“We are preparing to transfer the funds. We hope to have this resolved shortly.”
13 June 2025, 20:16Affected entityPayment sent.“Payment has been sent. Please confirm.”
13 June 2025, 22:20KairosKairos confirmed payment acceptance and claimed deletion was underway.“Thank you.The payment is accepted.We will prepare information for you soon and send it to the chat.Your data is in the process of deletion as we promised.”
16 June 2025, 13:53Affected entityAffected entity requested post-payment deliverables.“Thank you for confirming, do you have an ETA for the deliverables so we can keep our leadership informed?”
16 June 2025, 17:04KairosKairos claimed brute-force access and described claimed deletion / non-retaliation assurances.“The incident was very simple. We accessed your network using a bruteforce attack. We are attaching cybersecurity recommendations as well as proof of deletion of all downloaded files in special files. We also guarantee that we will not share the downloaded data with third parties, and we also guarantee that we will not attack you again. If everything is ok, we can delete our chat.”
16 June 2025, 17:05KairosFinal archive / claimed deletion material provided.temp.sh/WNnbX/union.rar

Negotiation Timeline

The timeline below summarizes the negotiation shown in the transcript.

Negotiation timeline from initial $3M demand to final $1M payment

Figure: Negotiation timeline showing the progression from Kairos's initial $3M demand to the final $1M ransom payment.

Negotiation outcome: The final payment was 33× the initial offer and 2.3× the highest recorded counter-offer. The transcript suggests the affected entity faced a difficult negotiation environment with limited leverage and significant public-exposure pressure.

Negotiation Dynamics

Kairos typically responded within minutes to a few hours of receiving a message, suggesting a disciplined and monitored negotiation process. Their active hours, viewed from a U.S. timezone, skewed toward late evening and night, but timing alone is insufficient for geographic attribution.

Longer response intervals appear to align with the affected entity's internal review, legal coordination, and approval processes, which are common in public-sector incident response.

Leverage Assessment

Kairos maintained leverage by controlling deadlines, publication threats, and proof-of-access artefacts. The affected entity's responses are consistent with an organization buying time while legal, leadership, financial, and communications decisions were coordinated.

Phrases such as “we appreciate your patience” and “we respect the effort you've made” should be read as channel-preservation language, not endorsement of the attacker's conduct.

Observed Pressure Tactics

  • Deadline escalation: Kairos moved from soft time pressure to a fixed Friday payment deadline.
  • High anchor and staged concessions: Kairos opened at $3 million, reduced to $2 million, then set a final $1 million demand, preserving a seven-figure outcome while creating the appearance of concession.
  • Targeted leverage: Kairos referenced a prosecutor's office folder and used the alleged sensitivity of that material to increase perceived public and operational risk.
  • Reputational pressure: Kairos framed publication as a public-trust event.
  • Manufactured urgency: Kairos used leak-site timers, deadline language, and wallet delivery to convert pressure into action.
  • Proof of capability: Kairos shared file lists and samples to support its access claims.

Affected Entity Response Pattern

  • Used cautious holding language while internal review continued.
  • Increased offers incrementally as deadline pressure escalated.
  • Kept communication open while legal, leadership, and financial approvals were coordinated.

The final payment was roughly 33× the opening offer, illustrating the difficulty of negotiating under public-exposure pressure.

Note: In similar cases, specialist ransomware negotiators may help structure communications, preserve leverage, and assess parallel recovery options.

Kairos Operational Patterns

Kairos responded within minutes to hours across the 28-day window, suggesting the negotiation channel was actively monitored. Longer intervals appear consistent with the affected entity's internal assessment and approval processes. Language patterns may indicate non-native English usage, but they are not sufficient for attribution.

Kairos Negotiation Channel

Unique codes are assigned to each victim to conduct negotiation:

http://nerqnacjmdy3obvevyol7qhazkwkv57dwqvye5v46k5bcujtfa6sduad.onion/feedback/?code=XXXXXXXXXXXXXXXXXXXXXXX

Language

Kairos's English was fluent but showed consistent grammatical patterns, including missing articles and slightly formal phrasing. These traits are characteristic of some Eastern European non-native English writing, though they are not sufficient for attribution on their own.

Passwords Used

  • output.rar — 19 May 2025 — gfrpRD$er@
  • output.rar — 27 May 2025 — Bt6&57r%b5&
  • output.rar — 12 June 2025 — Tb6NtGtb6b%%

All passwords follow a consistent pattern: mixed case, digits, special characters, recurring & and %, and 10–12 characters. They appear generated rather than manually chosen, which is standard operational security for a professional threat group.

Privacy Services

Files and links were shared using Temp.sh — for example, https://temp.sh/dgoBY/union.rar — and 1TY.me (1ty.me/bxIGiuzjr), both quick-burn and privacy-oriented services.

Evidence Limitations

  • No encryption observed: Based on the available material, this was data extortion rather than encryption-led ransomware. The primary pressure was legal, reputational, and public-facing rather than operational disruption.
  • Limited evidentiary value of the final archive: The last deliverable was named union.rar, which may indicate the proof of deletion was selective rather than comprehensive. It consisted of 1,310,568 lines in a plain-text log, with date ranges spanning from the late 1990s through 2025. The listing appears consistent with a real file-server scrape, but this cannot be independently verified from the transcript alone.
  • No cryptographic verification: There was no hash verification, no per-entry timestamp, no exit-code logging, and nothing cryptographically binding the log to an actual deletion event on the original system. The same list could be generated by running a script against a copy of the stolen data, proving only that the attacker had the files — not that the originals were destroyed.
  • No independent deletion verification shown: The transcript does not show a technical mechanism by which deletion could be independently verified, which remains a fundamental limitation in ransom-payment scenarios.
  • No identified locker sample: No encryptor or ransomware sample confidently associated with Kairos has been identified in this analysis. Based on the available evidence, Kairos should not be classified as a confirmed ransomware group. It appears to operate primarily as a data-extortion actor using leak threats and negotiation pressure rather than a demonstrated encryption-focused ransomware operation.

Tracing the Payment Timeline

Kairos provided the following Bitcoin wallet address to the victim in the chat panel:

bc1q0zkms9vuhp767q6yp3t4tj8fkellxz5h3dxgvl

Following the Funds

To simplify the transfer-node analysis, the following color key was used:

  • Turquoise wallet: Affected entity payment wallet
  • Green wallet: “Main Guy” node
  • Blue wallet: Helper wallet connection
  • Pink line: Ransom-demand timeline
  • Red wallet: High-confidence exchange or destination wallets in the observed payment flow
  • Light blue wallet: Kairos direct address
  • Black wallet: Unrelated or ignored wallet

Payment-flow summary: Affected entity payment → Kairos wallet → Main branch / Helper branch → ByBit, OKX, and BELQI exchange touchpoints.

In summary, the ransom payment split into two primary branches shortly after receipt. One branch moved toward a ByBit deposit address, while the other fragmented through intermediary wallets before touching addresses associated with OKX and BELQI. These movements help identify investigative leads, but they should not be interpreted as direct attribution to named individuals or organizations without additional evidence.

13 June 2025, 19:14:27: Kairos received the successful ransom payment — approximately $1 million — from the U.S. government body.

Initial affected-entity-to-Kairos Bitcoin transfer

Figure: Initial affected-entity-to-Kairos Bitcoin transfer corresponding to the successful ransom payment.

13 June 2025, 21:36:19: The attacker transferred funds to two different accounts: 2.83 BTC and 6.61 BTC.

Note: For this analysis, the wallet that received 6.61 BTC is referred to as the “Main Guy,” and the wallet that received 2.83 BTC is referred to as the “Helper.”

First post-payment split from the Kairos wallet

Figure: First post-payment split from the Kairos wallet into the “Main Guy” and “Helper” transfer branches.

Branch Analysis

Main Guy Transfer Branch

16 June 2025, 15:52:10: The Main Guy wallet split funds into two accounts: 6.50 BTC and 0.1 BTC.

16 June 2025, 16:27:20: The full 6.50 BTC was transferred to a ByBit deposit address.

Main Guy branch 6.50 BTC transfer toward ByBit deposit address

Figure: Main Guy branch showing the 6.50 BTC transfer toward a ByBit-associated deposit address.

Note: One later observed payout of 0.88 BTC was labelled as Cumberland DRW in the tracing view on 5 December 2025 at 19:17:29. The remaining visible payments were smaller transfers to 10 wallets. This label should be treated as a service-identification lead rather than attribution to Cumberland DRW or any specific actor.

Pivoting on the labelled Cumberland DRW node shows multiple branch-outs to services and exchanges such as CoinFlip, Copper, Binance, OKX, and BTSE. These downstream links may support further investigative triage, but they do not establish operator identity without independent corroboration.

Note: Cumberland DRW has been identified by the U.S. SEC as an unregistered dealer in crypto asset markets. See the SEC litigation release here. This regulatory context is included for background only and is not evidence of involvement in the Kairos incident.

Helper Transfer Branch

13 June 2025, 22:03:55: The Helper wallet split into two accounts: 2.81 BTC and 0.02 BTC.

13 June 2025, 23:32:20: The 2.81 BTC wallet split into two accounts: 2.34 BTC and 0.4 BTC.

The receiving accounts were:

  • BELQI — Russian exchange: 14Me3Y2TPYHNDwK6VPvfvGeXdYRCxUyQX2 0.4 BTC
  • 1LZhFJb57cAHh5vEW79KYsx6hB8TBpxn2J 2.34 BTC
Helper branch split showing 0.4 BTC to BELQI and 2.34 BTC onward

Figure: Helper branch split showing a 0.4 BTC transfer to a BELQI-associated wallet and a 2.34 BTC onward transfer.

13 June 2025, 23:32:20: The wallet holding 2.34 BTC split into two accounts: 0.75 BTC and 1.59 BTC.

Helper branch continuation showing 0.75 BTC to OKX and 1.59 BTC onward

Figure: Helper branch continuation showing a 0.75 BTC transfer to an OKX-associated wallet and a 1.59 BTC onward transfer.

The receiving accounts were:

  • OKX Exchange bc1q3fdcsy074ex4n9s0edxefzu9a6gaug505t8gy607x8g3cddh4y9qf47wjk 0.75 BTC
  • bc1psnk938yepdc474ad55vzw2fz83mwatv5l2k4s3pk7h8vmsx06v5qss8nlk 1.59 BTC

13 June 2025, 23:56:48: The wallet holding 1.59 BTC split into two accounts: 0.65 BTC and 0.94 BTC.

Further Helper branch fragmentation showing 0.65 BTC to OKX and 0.94 BTC onward

Figure: Further Helper branch fragmentation showing a 0.65 BTC transfer to an OKX-associated wallet and a 0.94 BTC onward transfer.

The receiving accounts were:

  • OKX Exchange bc1q327l7d8ch43ec6cxla39eg5lp3lpavqpmql8flwzgfdg94yjzlpqv8e7sk 0.65 BTC
  • bc1p7qhxh4962r5u4tv37pk33j769hwzawgztnpvmdqew4r206a46jhqwyu4xl 0.94 BTC

14 June 2025, 00:01:37: The wallet holding 0.94 BTC split into two accounts: 0.23 BTC and 0.7 BTC.

The receiving accounts were:

  • bc1pgv8ddwlkqyegxxjgk7xpjz4rgaz8chm8v9skq95n3t353vzrfplqyv3v8s 0.23 BTC
  • OKX Exchange bc1q3fdcsy074ex4n9s0edxefzu9a6gaug505t8gy607x8g3cddh4y9qf47wjk 0.70 BTC

Note: The 0.70 BTC transfer back to the OKX Exchange address is notable because the same OKX address appeared earlier in the Helper branch.

Repeated OKX-associated wallet activity within the Helper branch

Figure: Repeated OKX-associated wallet activity observed within the Helper branch, including the 0.70 BTC return transfer.

Because this is an OKX exchange address, the analysis continues with the remaining individual wallet address holding 0.23 BTC.

14 June 2025, 19:49:02: The wallet transferred funds into two wallets: 0.16 BTC and 0.07 BTC.

The receiving accounts were:

  • bc1pltyywuwrf30lywasnkzel9vz8zr89ndwt75c3vpd34eex88g7xyq7u7dqk 0.07 BTC
  • OKX Exchange bc1q327l7d8ch43ec6cxla39eg5lp3lpavqpmql8flwzgfdg94yjzlpqv8e7sk 0.16 BTC

Another wallet, bc1p98h6q9vsjhkfgje3qcvz4xkp4dn25xrazfmtgdtjxw6wrycvpxyqmjv4cf, also contributed 0.11 BTC. This same account transferred 0.2 BTC to the OKX address bc1q327l7d8ch43ec6cxla39eg5lp3lpavqpmql8flwzgfdg94yjzlpqv8e7sk.

Additional Helper branch wallet activity consolidating into the OKX-associated address

Figure: Additional Helper branch wallet activity showing further consolidation into the OKX-associated address.

16 June 2025, 18:53:57: The wallet split into 0.004 BTC and 0.1 BTC.

The receiving accounts were:

  • 1Pd44T3nPLwotSNyXpj6n3cfrLuvYhGgU3 0.004 BTC
  • BELQI 14Me3Y2TPYHNDwK6VPvfvGeXdYRCxUyQX2 0.16 BTC

Note: This account again transferred 0.16 BTC to the same BELQI exchange.

Later Helper branch transfer showing another payment into the same BELQI-associated wallet

Figure: Later Helper branch transfer showing another payment into the same BELQI-associated wallet.

16 June 2025, 19:26:56: The wallet holding 0.004 BTC split into two accounts: 0.003 BTC and 0.009 BTC.

Note: This account — 1Pd44T3nPLwotSNyXpj6n3cfrLuvYhGgU3 — also received funds from three other accounts, which are outside the scope of this analysis.

The receiving wallets were:

  • bc1q6z822v92f4wjg9vdy8ky5ez5vp46e97su4nymm 0.003 BTC
  • bc1qa5k0433te8g50ws99m034vy5nmtx4lq7cd457t 0.009 BTC

These two wallets were observed in a single transfer only, so the pivot ends at this point.

The active transfer window occurred between 16 June 2025, 15:52:10 and 16 June 2025, 19:26:56 — a span of 3 hours and 34 minutes.

So What?

The payment flow shows rapid post-payment fund movement, branch splitting, and exchange touchpoints within a narrow window. For investigators, the most useful leads are the timing of the split, the repeated OKX and BELQI touchpoints, and the ByBit-linked branch. For reporting purposes, these observations support the conclusion that the ransom was actively managed after receipt, but they do not identify individual operators without exchange, subpoena, or additional off-chain evidence.

High-Confidence Wallets and Exchange Touchpoints

The analysis narrowed the activity to four high-confidence wallet addresses associated with the observed ransom-payment flow and labelled exchange touchpoints:

  • bc1q327l7d8ch43ec6cxla39eg5lp3lpavqpmql8flwzgfdg94yjzlpqv8e7sk — OKX
  • bc1q3fdcsy074ex4n9s0edxefzu9a6gaug505t8gy607x8g3cddh4y9qf47wjk — OKX
  • 14Me3Y2TPYHNDwK6VPvfvGeXdYRCxUyQX2 — BELQI
  • 1L24hzxzCSQxqzoHacbmwuWAdD2BWCMLFn — ByBit

All four wallets were active during the same timeline. Other transfers occurred later.

Note: This does not mean all wallet addresses were identified. Timeline analysis was used to map active wallets during the ransom negotiation. Many wallets became active after long dormancy periods, in some cases after several months.

The ByBit-linked wallet continued to show active transactions, with last observed activity on 1 May 2026. This suggests continued use of the wallet infrastructure after the incident, with possible continued cybercriminal activity, although not necessarily under the “Kairos” brand.

Lessons Learned

  • Pre-authorize escalation paths: Public-sector entities should define who can approve legal, financial, operational, and communications decisions during extortion events.
  • Use specialist negotiation support: Structured negotiation support can help preserve leverage, manage deadlines, and assess parallel recovery options.
  • Treat deletion promises as unverifiable: Attacker-provided logs, screenshots, or assurances should not be treated as proof that stolen data was destroyed.
  • Harden exposed authentication: Enforce MFA, monitor brute-force activity, and alert on anomalous login patterns.
  • Monitor large outbound transfers: Data-only extortion depends on quiet exfiltration before first contact.
  • Protect sensitive repositories: Segment high-impact data such as legal, HR, law-enforcement, and citizen records.
  • Prepare public-communications plans: Reputation pressure is central to data-extortion campaigns and should be planned for before an incident.

Analytic Confidence

This assessment is based on a leaked negotiation transcript, screenshots, claimed artefacts, and observable blockchain activity. Confidence is highest for the negotiation sequence, the final payment amount, and the broad post-payment transfer pattern. Confidence is moderate for labelled exchange touchpoints because service labels can require independent confirmation. Confidence is lower for attacker claims regarding access method, data completeness, and deletion, which could not be independently verified from the transcript alone.

Who Is Kairos?

Artistic representation of Kairos, the Greek god of opportunity

Figure: Artistic representation of Kairos, the Greek god of opportunity and the quality of the present moment. Source: Mediterranean Way Project.

The name Kairos comes from Greek mythology and philosophy, where it represents the opportune or decisive moment — the critical point at which action must be taken. Unlike Chronos, which refers to chronological time, Kairos is associated with timing, pressure, and acting at the right moment. As a threat-actor brand, the name is fitting: the group's leverage appears to rely on deadlines, publication threats, and forcing victims into high-stakes decisions during a narrow negotiation window.

Kairos was first observed in November 2024. Its data-leak site is located at:

nerqnacjmdy3obvevyol7qhazkwkv57dwqvye5v46k5bcujtfa6sduad.onion

As of this report, 88 victims have been listed by the group.

Each victim's data appears to be saved or posted on a dedicated onion domain, including:

whodusp3s2z6rnenxhv7scc2w5fzsse5cmijll2vl7fo6ezk45zssjqd.onion
dwgxeoaqykd3zdkhol5xpgsqabp4lys4ea7qpl3f2b75b2sdsex644id.onion
usqa5b33yyc2u6kqf5au64cgj64acl2umtll76qutlmu7fckw6kh6wqd.onion
2msn5sp3af3iy2ozj4235ccsb7pnpp4tkzyxdpzutyc2sxb3mujicfyd.onion
esmhbczpio7umfnxog6bk23q3nok5fjuik2dttegvezqngg2oqklo7yd.onion
vpj6dzqat4n4hwb625a4qjpuzd3bzrjgw5zlwa3l6uiazdwjcib3y6ad.onion
sltc7wlafwiemito2kijqlxnmjgaxrrfihztjdl25vofh7kzvs7l5dqd.onion
unrqdnruyae3bngm5txc6vgz7ny2fbdwjllzhq6eioew7te6xplyndid.onion
khom5v7vmc2nomkze64dsbyenn3wlxkewg6dbsvt5sujl2rmrtfy4oid.onion

It is notable that none of the Tor domains are vanity domains beginning with “Kairos,” unlike several larger ransomware ecosystem actors.

Unique tokens appear to be generated for each victim to initiate negotiation through the portal. In addition to direct chat access, Kairos also used another communication channel via email:

[email protected]

The email address may be an attempt to echo the branding style of LockBit, whose representative used “LockBitSupp” on TOX chat. This is a branding similarity only and should not be treated as evidence of a direct operational relationship.

Threat Intelligence

File Recovery

The deletion log shared by Kairos with the victim was recovered. It was a 238 MB text file shared through the Temp.sh platform. The file provides insight into the data set Kairos claimed to hold, but it does not prove deletion.

Exposing the Real IP

In January 2026, routine infrastructure hunting identified a likely backend associated with the Kairos data-leak site. It resolved to 62.182.81.38, geolocating to Ukraine. The ASN is AS30860 — Virtual Systems LLC — a provider that has previously appeared in malware and offensive-security infrastructure reporting, including Cobalt Strike-related activity.

Clear-net backend exposure for the Kairos data-leak site

Figure: Clear-net backend exposure for the Kairos data-leak site, resolving to 62.182.81.38 on Virtual Systems LLC infrastructure.

The server was running the following services:

  • SSH-2.0-OpenSSH_9.6p1 Ubuntu-3
  • ubuntu13.14 on an NGINX server

Leak Site Seizure by the SBU Cyber Department

The exposed infrastructure later displayed a seizure notice attributed to the Cyber Department of the Security Service of Ukraine (SBU). This indicates that Kairos's leak-site infrastructure was likely disrupted through Ukrainian law-enforcement action rather than a simple outage or voluntary migration.

For a data-extortion group, seizure of leak-site infrastructure is operationally significant because the site functions as both a victim-pressure mechanism and a credibility layer during negotiations. The seizure should be treated as an infrastructure disruption and investigative lead; it does not, by itself, confirm arrests, operator attribution, or a complete dismantling of Kairos.

Seizure notice displayed on the exposed Kairos leak-site infrastructure

Figure: Seizure notice displayed on the exposed Kairos leak-site infrastructure and attributed to the SBU Cyber Department.

Conclusion

This case illustrates how data-only extortion can create significant pressure even without encryption or operational disruption. Kairos used file-access claims, publication threats, staged concessions, and deadline pressure to secure a successful seven-figure ransom payment from a U.S. government body.

The blockchain activity provides useful investigative leads, including rapid fund splitting and exchange touchpoints, but it should not be treated as standalone attribution. The strongest finding is operational: public-sector organizations need pre-authorized escalation paths, negotiation support, egress monitoring, and a clear understanding that attacker deletion claims are not independently verifiable.

Although Kairos appears less active and the last known victim was observed on 1 June 2026, the available evidence does not confirm that the group has fully ceased operations. Later wallet activity should be treated as an investigative lead rather than definitive proof of continued Kairos operations.

Note: This is individual research by The Raven File for RANSOM-ISAC.

Found this article helpful?

Share it with your network

Continue Reading

Explore more expert insights and threat intelligence from the Ransom-ISAC community