"In one particular exchange, our current teammate disclosed to a threat actor that law enforcement had reached out to them about the threat actor," Kyle Hanslovan said in a blog post.
Huntress CEO Kyle Hanslovan: disclosure reflected "poor judgment"
Huntress CEO Kyle Hanslovan acknowledged in a Tuesday blog post that his company discovered "questionable, long-term threat actor communications" between a currently employed threat hunter and a cybercriminal. Hanslovan described an instance in which the employee disclosed to a threat actor that law enforcement had made contact, calling that conduct "poor judgment." He stressed that while the disclosure "was not illegal," it nevertheless fell short of the conduct the company expects from its researchers.
Former analyst Ben Folland says the behavior was an insider threat
Those revelations follow allegations made publicly last week by former Huntress security operations analyst Ben Folland, who left the company in February. Folland alleged that "another Huntress employee passed communications from US law enforcement to a cybercriminal, Devman, who is actively and publicly targeting my family and me." He further asserted that the insider was "caught by the FBI" and that the actions "would cause significant reputational damage to Huntress and, in my view, continues to put clients at risk."
Folland characterized the conduct in stark terms: "If you are an employee at a cybersecurity company, you should not be helping cybercriminals. You should not be informing them of active investigations. You should not be engaging in cybercriminal activity yourself." In a LinkedIn post responding to Hanslovan’s blog, Folland reiterated that the communications "meet the definition of an insider threat."
Devman, FBI contact, and the specific claims about forwarded messages
Folland's account includes a precise allegation about what was forwarded. He claimed that when the FBI reached out to the Huntress employee for intelligence on Devman, "She immediately forwarded the exact FBI communications to the threat actor, including screenshots containing FBI agent names." According to Folland, the employee also "informed Devman that law enforcement was actively looking into him" and "refused to cooperate because they wanted Devman."
The source materials describe Devman as a ransomware operator, believed to be located in Russia, who "uses modified DragonForce code built on top of the leaked Conti source code." According to Folland, the FBI notified him of the incident involving the Huntress analyst; The Register reached out to the FBI for comment and did not receive a response.
Investigation, administrative steps, and company posture
Hanslovan said Huntress conducted an investigation and concluded that the communications did not rise to the level of insider activity. He wrote that his team "implemented more robust policies for our researchers, coached teammates on engaging with threat actors, and took appropriate administrative actions." Hanslovan added: "While we haven't found evidence of illegal conduct, insider activity, or additional disclosures, we are continuing our investigation."
Beyond describing those steps, Hanslovan declined to provide further detail, citing "the privacy rights of our teammates." Huntress "declined to comment further" when approached for additional information, according to the reporting.
What this means for technologists, the FBI contact, and affected families
- Technologists and security teams: Huntress says it has tightened researcher policies and coaching on engaging with threat actors; practitioners will watch whether those procedural changes are sufficient and how they are enforced.
- The FBI contact and law enforcement partners: The record shows law enforcement reached out for intel, and Folland alleges FBI communications were forwarded to a target. The FBI did not respond to a request for comment in the reporting.
- Affected families and targeted individuals: Folland described ongoing, public targeting of his family by Devman and said the alleged disclosure aggravated that risk; individuals in similar situations will be attentive to how firms handle sensitive law-enforcement requests.
The exchange between a Huntress researcher and Devman has prompted internal controls, public accusations, and a continuing company investigation. Hanslovan's assertion that the conduct was not illegal but demonstrated "poor judgment" sits in tension with Folland's characterization of the same events as an insider threat that harmed clients and family members and, he says, was reported to the FBI. Huntress says it has taken administrative steps and is continuing to investigate; the company otherwise declined further comment. The public record now contains competing accounts, an ongoing internal probe, and an unanswered outreach to the FBI.
