Key Takeaways
- Former Huntress analyst Ben Folland alleges that a current employee passed FBI communications about a ransomware threat actor (Devman) directly to that actor, which he argues meets the definition of an insider threat.
- Huntress CEO Kyle Hanslovan acknowledges the exchange as “poor judgment” but maintains that an internal investigation found no evidence of illegal conduct or insider activity.
- The company says it has strengthened policies, coached staff on interacting with threat actors, and taken administrative actions, while refusing further comment due to employee privacy.
- Folland disputes the characterization, insisting that forwarding law‑enforcement details to a criminal suspect is more than a lapse in judgment and poses reputational and client‑risk concerns.
- The FBI has not publicly commented on the matter, and Huntress has declined to provide additional specifics about the investigation.
Background of the Allegation
In February 20early in 2025, former Huntress security‑operations analyst Ben Folland left the company after a tenure focused on threat‑hunting and incident response. Shortly after his departure, Folland took to professional social media to accuse a still‑employed Huntress colleague of sharing sensitive law‑enforcement information with a known ransomware operator. He claimed that the disclosed information pertained to an ongoing FBI outreach concerning the threat actor dubbed “Devman,” a Russia‑based ransomware group that leverages a modified version of the leaked Conti source code. Folland framed the behavior as a clear breach of trust that endangered both Huntress’s reputation and its client base.
Details of the Alleged Communication
According to Folland’s LinkedIn post, the FBI reached out to the Huntress analyst seeking intelligence on Devman’s activities. Rather than providing the information solely to federal authorities, the analyst allegedly forwarded the exact FBI correspondence—including screenshots that revealed agent names—to Devman himself. Folland asserted that the analyst explicitly told the ransomware operator that law enforcement was actively investigating him and that she refused to cooperate with the FBI’s requests because they were aimed at Devman. This direct hand‑off of investigative details, Folland argued, gave the cybercriminal advance warning and potentially allowed him to evade detection or alter his tactics.
Huntress Leadership’s Initial Response
When the accusations first surfaced, Huntress CEO Kyle Hanslovan responded publicly, stating that he “firmly disagree[d]” with Folland’s characterization of the incident as an insider threat. Hanslovan declined to elaborate on the specifics of the exchange, citing an ongoing internal review. He emphasized that, at that stage, the company had not uncovered any illegal conduct and that the matter appeared to be a lapse in judgment rather than a malicious insider act.
CEO’s Follow‑Up Blog Post
In a subsequent blog post published on Tuesday, Hanslovan expanded on the company’s position. He acknowledged that the analyst had disclosed law‑enforcement outreach to Devman but described the act as “poor judgment” rather than criminal or insider behavior. Hanslovan noted that the internal investigation had not uncovered evidence of illegal activity, additional disclosures, or a pattern of insider threats. He stated that the findings prompted Huntress to tighten its policies governing researcher interactions with threat actors, provide additional coaching to staff on appropriate engagement boundaries, and implement administrative measures aimed at preventing similar lapses.
Internal Actions Taken by Huntress
Following the investigation, Huntress reported several concrete steps. The company introduced more robust guidelines for its threat‑hunting team, clarifying what information may be shared with external parties—including threat actors—and under what circumstances. Employees received targeted training on handling law‑enforcement inquiries, emphasizing the need to preserve the integrity of ongoing investigations and to escalate such contacts through proper legal channels rather than communicating directly with suspects. Administrative actions, which Hanslovan did not detail publicly, were applied to the analyst involved, though the nature of any disciplinary measures remained undisclosed due to privacy considerations.
Folland’s Rebuttal and Definition of Insider Threat
Ben Folland rejected Huntress’s framing, insisting that the analyst’s conduct satisfies the accepted definition of an insider threat. In his LinkedIn response, he argued that warning a criminal subject about an active law‑enforcement investigation is analogous to a bank employee tipping off a fraudster about a police probe—an act universally recognized as insider misconduct. Folland stressed that the analyst’s actions went beyond a simple mistake; they involved the deliberate transmission of sensitive, non‑public information that could compromise an investigation and potentially endanger other victims of Devman’s ransomware campaigns. He warned that such behavior erodes trust in security firms and places clients at undue risk.
Implications for Huntress and the Wider Security Community
The episode raises broader questions about how security organizations manage the interface between threat‑intelligence gathering and legal processes. Analysts often interact with threat actors to gather intelligence, but clear boundaries must exist to prevent inadvertent or deliberate aid to those actors. The incident underscores the necessity of explicit policies governing the handling of law‑enforcement communications, the importance of regular training on ethical and legal obligations, and the value of transparent internal investigations that balance accountability with employee privacy. For Huntress, the reputational fallout may hinge on how effectively it communicates its remedial actions and reassures customers that its defensive posture remains uncompromised.
FBI’s Position and Ongoing Investigation
The Register reached out to the Federal Bureau of Investigation for comment on the alleged exchange, but the bureau did not respond. Consequently, the public record lacks an official confirmation of whether the FBI formally notified Folland about the analyst’s actions or whether any federal inquiry is underway. Huntress has likewise declined to disclose further specifics, citing the privacy rights of its employees. Without external validation, the narrative remains shaped primarily by the statements of the former analyst and the company’s leadership, leaving room for differing interpretations of the severity and intent behind the disclosed communications.
Conclusion
The dispute between Ben Folland and Huntress highlights a tension between asserting rigorous insider‑threat definitions and contextualizing judgment lapses in high‑stakes threat‑hunting environments. While Huntress maintains that no illegal conduct occurred and that it has instituted preventive measures, Folland’s insistence that the behavior qualifies as an insider threat serves as a cautionary reminder for all security firms: safeguarding the integrity of law‑enforcement engagements is as critical as defending against external cyber threats. The outcome will likely influence how similar cases are handled across the industry, reinforcing the need for clear protocols, ongoing education, and a culture that prioritizes both operational effectiveness and ethical responsibility.

