Menu
Browse

Cyber Threat Actor: Kairos

Actor Type Location Known Incidents
 Icon
Crime Syndicate
1 incident
Profile

Kairos is the alias used by a cyber extortion group that first appeared in public reporting on May 1 2025 when it targeted Union County, Ohio, a local government jurisdiction in the Midwestern United States. The attackers gained initial access to the county’s networks through a brute‑force intrusion, without deploying any malware, and proceeded to exfiltrate more than two terabytes of files. The stolen dataset encompassed a wide variety of personal information, including names, birth dates, identification numbers, Social Security numbers, financial and medical details, fingerprints and payment card data. This volume and variety of data gave the group leverage to threaten public disclosure if their demands were not met.

Following the breach, Kairos entered a three‑week negotiation period with county officials, opening with a demand of $100,000 for the non‑release of the stolen material. The county’s counter‑offer increased to $430,000 before the attackers ultimately accepted a payment of $1 million in cryptocurrency to halt any further dissemination. Throughout the talks the group supplied proof‑of‑access artifacts to demonstrate continued control over the data and imposed firm deadlines, warning that the information would be published if the ransom was not satisfied. Notably, the operation did not involve file‑encrypting ransomware; it was conducted as a pure extortion scheme relying solely on the threat of exposure.

The incident exposed the personal data of tens of thousands of individuals residing in Union County, covering the same categories of identifiers and health‑related information listed in the exfiltrated dataset. Union County’s response involved coordinating legal, leadership, financial and communications teams to manage the crisis, a process noted by observers as an example of multi‑functional crisis handling. Ransom‑ISAC characterized the event as financially motivated extortion directed at a local government entity in the United States, emphasizing the absence of any ransomware component. To date, no public attribution to a state sponsor or larger criminal consortium has been made, and open‑source reporting does not link Kairos to any additional campaigns beyond this single reported operation.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources