Huntress Employee Allegedly Tipped Off Ransomware Actor About FBI
Former analyst claims a Huntress threat hunter shared FBI communications with ransomware operator Devman, including agent names. CEO admits 'poor judgment' but denies illegality.
A former Huntress analyst has accused a current employee of passing FBI communications directly to a ransomware operator, igniting a public dispute over what constitutes an insider threat in the cybersecurity industry.
The allegations come during the same week a ransomware negotiator received 70 months in prison for feeding victim intelligence to BlackCat attackers—raising pointed questions about who defenders can trust when the security industry itself has insider problems.
The Allegations
Ben Folland, a former security operations analyst who left Huntress in February 2026, claims he discovered in December 2025 that a colleague had been passing law enforcement intelligence to Devman, a ransomware operator believed to be based in Russia.
According to The Register, when the FBI contacted the Huntress employee seeking intelligence about Devman, she "immediately forwarded the exact FBI communications to the threat actor, including screenshots containing FBI agent names." She allegedly informed Devman that law enforcement was actively investigating him.
Folland characterized the disclosure as meeting "the definition of an insider threat," comparing it to warning a fraudster about an approaching police investigation.
Company Response
Huntress CEO Kyle Hanslovan acknowledged what he called "questionable, long-term threat actor communications" in a June 30 blog post. He characterized the behavior as reflecting "poor judgment" but maintained that multiple internal investigations, plus consultation with law enforcement, found no evidence of illegal conduct.
"While this disclosure was not illegal, it reflected poor judgment," Hanslovan stated.
According to SC Media, Huntress implemented stricter policies and took administrative measures following the investigation. The company also pushed back against suggestions that an upcoming IPO influenced its response to the incident.
Who is Devman?
Devman operates a ransomware operation that emerged in April 2025 using code derived from the leaked Conti source code. The operation reportedly uses modified DragonForce ransomware infrastructure, part of a wave of new ransomware variants building on leaked source from disbanded groups.
Threat researchers sometimes maintain communication channels with cybercriminals for intelligence-gathering purposes—a practice that exists in an ethical gray zone. The controversy centers on whether sharing active law enforcement interest crosses from intelligence gathering into something more damaging.
The Whistleblower's Evidence
Folland has pledged to release documentation within two weeks of his initial allegations, claiming to possess:
- FBI communications forwarded to Devman
- Direct exchanges between the Huntress employee and the ransomware operator
- Recorded phone calls
- Internal Huntress memos discussing the situation
- Evidence of threats targeting Folland and his family
The promised release has intensified scrutiny on Huntress and raised questions about accountability when defenders themselves become vectors for sensitive information reaching criminals.
Pattern of Insider Problems
The Huntress incident arrives during a broader reckoning over insider threats in cybersecurity. The Angelo Martino prosecution demonstrated that insiders with trusted access can cause extraordinary damage—Martino helped BlackCat extract $75.3 million from victims by sharing their insurance limits and negotiation strategies.
Two of Martino's co-conspirators, Ryan Goldberg and Kevin Martin, also held cybersecurity positions. Goldberg worked as an incident response manager at Sygnia, while Martin was a DigitalMint colleague. All three received multi-year prison sentences.
The security industry's professionalization has created specialized roles with access to highly sensitive information. Incident responders, negotiators, and threat hunters all require access to details that become weaponizable in the wrong hands.
Why This Matters
For organizations working with security vendors, the past week has delivered uncomfortable lessons:
Trust is asymmetric. Victims share their most sensitive information with security firms during their most vulnerable moments. Whether that information stays confidential depends entirely on the ethics of individuals who have every technical means to share it elsewhere.
Verification is hard. Background checks won't reveal ongoing relationships with threat actors. Even companies specializing in security can harbor insiders who prioritize other interests.
The line is blurry. Threat researchers do communicate with criminals for legitimate intelligence purposes. Determining when that communication crosses into harmful territory requires judgment calls that reasonable people can disagree on.
The FBI has not publicly commented on the Huntress matter. Folland's promised documentation release may provide additional clarity—or deepen the controversy.
For security teams evaluating vendor relationships, our social engineering guide covers how attackers manipulate trust. But this case suggests the threat model extends beyond external attackers to the defenders organizations bring inside their perimeters.
Huntress did not respond to requests for comment beyond Hanslovan's public statements. The investigation reportedly remains ongoing.
Related Articles
Ransomware Negotiator Who Fed Intel to BlackCat Gets 70 Months
Angelo Martino leaked client insurance limits and negotiation strategies to the ransomware gang he was hired to negotiate against. Federal court sentences the double agent to nearly six years.
Jul 10, 2026Vect and TeamPCP Alliance Creates 'Industrialized Ransomware' Pipeline
Sophos and FBI warn of new partnership combining supply chain credential theft with ransomware deployment. 500,000 credentials already stolen.
Jul 5, 2026FBI: Cybercrime Losses Hit $20.9B in 2025, Up 26%
FBI IC3 2025 report reveals record $20.9 billion in cybercrime losses. Investment fraud tops $8.6B, cryptocurrency scams reach $11.4B, and ransomware losses surge 259%.
Apr 13, 2026FBI Seizes NetNut Proxy Network Built on 2M Hijacked Smart TVs
Google and the FBI dismantled NetNut, a residential proxy network that compromised 2 million smart TVs and streaming boxes. 316 threat groups used it in a single week to mask attack origins.
Jul 3, 2026