All posts

Huntress employee warned ransomware operator about FBI probe

Manaal KhanJuly 2, 2026 at 10:02 AM5 min read
Huntress employee warned ransomware operator about FBI probe

Key Takeaways

Huntress employee warned ransomware operator about FBI probe
Source: www.theregister.com
  • A current Huntress employee shared FBI communications with a ransomware operator named Devman
  • CEO Kyle Hanslovan calls it 'poor judgment' but denies illegal conduct or insider activity
  • Former employee Ben Folland insists the behavior meets the definition of an insider threat

A Huntress threat hunter forwarded FBI communications directly to a ransomware criminal, according to the company's CEO. Kyle Hanslovan confirmed Tuesday that the employee disclosed law enforcement interest in a threat actor known as Devman, who operates ransomware built on leaked Conti source code. Hanslovan called it "poor judgment." A former colleague says it was something far worse.

Advertisement

What exactly did the Huntress employee share?

The controversy centers on communications between a current Huntress security analyst and Devman, a Russian-linked ransomware operator who uses modified DragonForce code. When the FBI approached the Huntress employee seeking intelligence on Devman, the employee allegedly forwarded those FBI communications, including screenshots containing agent names, directly to the criminal.

"In one particular exchange, our current teammate disclosed to a threat actor that law enforcement had reached out to them about the threat actor," Hanslovan wrote in a blog post Tuesday. "While this disclosure was not illegal, it reflected poor judgment."

The employee also reportedly refused to cooperate with the FBI because, according to former Huntress analyst Ben Folland, "they wanted Devman."

Former employee calls it an insider threat

Folland left Huntress in February. Last week he went public with allegations that the analyst's actions put him and his family at risk, claiming Devman is "actively and publicly targeting" them. He says the FBI notified him about the incident.

Folland rejects the "poor judgment" framing. "This was a Huntress employee taking sensitive knowledge about a law enforcement approach and passing it directly to the person being investigated," he wrote on LinkedIn. "If someone inside a bank warns a fraudster that police are investigating them, nobody would describe that as merely 'poor judgment.' They would call it what it is, an insider."

His core argument is simple: if you work at a cybersecurity company, you should not be informing criminals of active investigations against them. Full stop.

Huntress says it was not illegal

Hanslovan maintains the company has found no evidence of illegal conduct, insider activity, or additional disclosures. In response to the investigation, Huntress implemented "more robust policies for our researchers, coached teammates on engaging with threat actors, and took appropriate administrative actions."

He did not specify what those administrative actions were. The employee remains at the company.

"Due to the privacy rights of our teammates, we will not comment further on the investigation," Hanslovan wrote. Huntress declined additional comment to The Register. The FBI did not respond to requests for comment.

Advertisement

The gray zone of threat actor engagement

Security researchers routinely communicate with cybercriminals. It is how they gather intelligence on tactics, tools, and upcoming campaigns. Many threat intelligence teams maintain ongoing contact with hackers in underground forums. The practice is legal and often valuable.

But there is a line. Disclosing that law enforcement is investigating someone crosses it, at least ethically. Whether it crosses a legal threshold depends on specifics that neither Hanslovan nor Folland has fully detailed.

The incident raises uncomfortable questions for the entire managed detection and response industry. Huntress protects over 125,000 small and mid-sized businesses. If a threat hunter at an MDR provider is willing to tip off a ransomware operator about FBI interest, what else might they share? And how would customers ever know?

What this means for Huntress customers

Hanslovan says the company has found no evidence that customer data was compromised or that the employee engaged in other problematic disclosures. The investigation is ongoing.

But the reputational damage is real. Huntress built its brand on being the scrappy defender of small businesses against ransomware gangs. Having an employee who allegedly tipped off a ransomware operator, even if technically legal, undercuts that narrative.

Folland's claim that Devman is targeting his family adds another dimension. If true, a Huntress employee's communications with a criminal may have contributed to ongoing harassment of a former colleague.

ℹ️

Logicity's Take

The "poor judgment" framing is doing a lot of heavy lifting here. An employee at a $265 million cybersecurity firm passed FBI communications to the exact criminal the FBI was investigating, and the company's response is policy updates and coaching. For CTOs evaluating MDR providers, this incident is a reminder that vendor security extends beyond technical controls. Ask about insider threat policies, researcher ethics guidelines, and how providers handle law enforcement cooperation. Competitors like CrowdStrike, SentinelOne, and Arctic Wolf all operate similar threat intelligence programs. Their policies around threat actor engagement should be part of any vendor security review.

Frequently Asked Questions

Is it illegal to warn a criminal about an FBI investigation?

It depends on the circumstances. Obstruction of justice charges typically require intent to impede an investigation. Huntress CEO Kyle Hanslovan says the disclosure was not illegal, though legal experts have not weighed in publicly.

Who is Devman?

Devman is a ransomware operator believed to be based in Russia. He uses modified DragonForce code built on top of the leaked Conti ransomware source code.

Is the Huntress employee still working at the company?

Yes. Hanslovan confirmed the employee remains at Huntress. The company says it took 'appropriate administrative actions' but has not specified what those were.

What is threat actor engagement?

Security researchers sometimes communicate with cybercriminals to gather intelligence on tactics, tools, and targets. The practice is common in the industry but raises ethical questions about where the line between research and complicity falls.

Should Huntress customers be concerned?

Huntress says there is no evidence of customer data compromise or other problematic disclosures. The company has implemented new policies and continues investigating.

ℹ️

Need Help Implementing This?

If this incident has you rethinking your MDR provider's security practices, reach out to Logicity's consulting partners for vendor risk assessment frameworks tailored to cybersecurity service providers.

Source: www.theregister.com

Advertisement
M

Manaal Khan

Tech & Innovation Writer

Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.

Related Articles