PROBABLYPWNED
Threat IntelligenceJuly 10, 20264 min read

Huntress Employee Allegedly Tipped Off Ransomware Actor About FBI

Former analyst claims a Huntress threat hunter shared FBI communications with ransomware operator Devman, including agent names. CEO admits 'poor judgment' but denies illegality.

Alex Kowalski

A former Huntress analyst has accused a current employee of passing FBI communications directly to a ransomware operator, igniting a public dispute over what constitutes an insider threat in the cybersecurity industry.

The allegations come during the same week a ransomware negotiator received 70 months in prison for feeding victim intelligence to BlackCat attackers—raising pointed questions about who defenders can trust when the security industry itself has insider problems.

The Allegations

Ben Folland, a former security operations analyst who left Huntress in February 2026, claims he discovered in December 2025 that a colleague had been passing law enforcement intelligence to Devman, a ransomware operator believed to be based in Russia.

According to The Register, when the FBI contacted the Huntress employee seeking intelligence about Devman, she "immediately forwarded the exact FBI communications to the threat actor, including screenshots containing FBI agent names." She allegedly informed Devman that law enforcement was actively investigating him.

Folland characterized the disclosure as meeting "the definition of an insider threat," comparing it to warning a fraudster about an approaching police investigation.

Company Response

Huntress CEO Kyle Hanslovan acknowledged what he called "questionable, long-term threat actor communications" in a June 30 blog post. He characterized the behavior as reflecting "poor judgment" but maintained that multiple internal investigations, plus consultation with law enforcement, found no evidence of illegal conduct.

"While this disclosure was not illegal, it reflected poor judgment," Hanslovan stated.

According to SC Media, Huntress implemented stricter policies and took administrative measures following the investigation. The company also pushed back against suggestions that an upcoming IPO influenced its response to the incident.

Who is Devman?

Devman operates a ransomware operation that emerged in April 2025 using code derived from the leaked Conti source code. The operation reportedly uses modified DragonForce ransomware infrastructure, part of a wave of new ransomware variants building on leaked source from disbanded groups.

Threat researchers sometimes maintain communication channels with cybercriminals for intelligence-gathering purposes—a practice that exists in an ethical gray zone. The controversy centers on whether sharing active law enforcement interest crosses from intelligence gathering into something more damaging.

The Whistleblower's Evidence

Folland has pledged to release documentation within two weeks of his initial allegations, claiming to possess:

  • FBI communications forwarded to Devman
  • Direct exchanges between the Huntress employee and the ransomware operator
  • Recorded phone calls
  • Internal Huntress memos discussing the situation
  • Evidence of threats targeting Folland and his family

The promised release has intensified scrutiny on Huntress and raised questions about accountability when defenders themselves become vectors for sensitive information reaching criminals.

Pattern of Insider Problems

The Huntress incident arrives during a broader reckoning over insider threats in cybersecurity. The Angelo Martino prosecution demonstrated that insiders with trusted access can cause extraordinary damage—Martino helped BlackCat extract $75.3 million from victims by sharing their insurance limits and negotiation strategies.

Two of Martino's co-conspirators, Ryan Goldberg and Kevin Martin, also held cybersecurity positions. Goldberg worked as an incident response manager at Sygnia, while Martin was a DigitalMint colleague. All three received multi-year prison sentences.

The security industry's professionalization has created specialized roles with access to highly sensitive information. Incident responders, negotiators, and threat hunters all require access to details that become weaponizable in the wrong hands.

Why This Matters

For organizations working with security vendors, the past week has delivered uncomfortable lessons:

Trust is asymmetric. Victims share their most sensitive information with security firms during their most vulnerable moments. Whether that information stays confidential depends entirely on the ethics of individuals who have every technical means to share it elsewhere.

Verification is hard. Background checks won't reveal ongoing relationships with threat actors. Even companies specializing in security can harbor insiders who prioritize other interests.

The line is blurry. Threat researchers do communicate with criminals for legitimate intelligence purposes. Determining when that communication crosses into harmful territory requires judgment calls that reasonable people can disagree on.

The FBI has not publicly commented on the Huntress matter. Folland's promised documentation release may provide additional clarity—or deepen the controversy.

For security teams evaluating vendor relationships, our social engineering guide covers how attackers manipulate trust. But this case suggests the threat model extends beyond external attackers to the defenders organizations bring inside their perimeters.

Huntress did not respond to requests for comment beyond Hanslovan's public statements. The investigation reportedly remains ongoing.

Related Articles