
This was reported by researchers at Ransom-ISAC, according to forklog.com.
After analyzing chat logs and on-chain data, experts determined that the hackers threatened to publish the stolen confidential information of citizens. A distinctive feature of the incident was the attackers’ complete refusal to use traditional ransomware—the infrastructure was not encrypted, and the attack boiled down to direct blackmail based on the leak of 2 TB of information.
The hackers’ initial demand was $3 million. The attackers pressured the victim by threatening to publish a folder labeled “prosecutor’s office” (which would have helped the criminals avoid charges), as well as Social Security numbers, financial data, and fingerprints. During a month-long negotiation, the amount was reduced to $1 million.
Upon receiving the payment, the criminals split the transfer and routed the funds through a chain of wallets, sending them to deposit addresses linked to the crypto exchanges Bybit, OKX, and the Russian service BELQI.
As proof of the “transaction,” Kairos provided only a list of files marked for deletion, which, according to experts, offers no real guarantees.
Experts noted a global shift in cybercrime tactics: hacker syndicates are increasingly turning to outright theft and extortion, as this frees them from the need to maintain complex encryption software. The Kairos group itself has currently ceased public activity, but crypto wallets associated with it continued to move funds until May 2026.























