Huntress Threat Hunter Accused of Disclosing Law Enforcement Probe to Ransomware Operator
Huntress CEO confirms a threat hunter disclosed law enforcement contact to a ransomware operator, calling it 'poor judgment' amid insider threat allegations.
Huntress CEO Kyle Hanslovan has confirmed that a threat hunter employed by the cybersecurity firm engaged in "questionable, long-term threat actor communications" and disclosed sensitive information to a cybercriminal known as Devman. Hanslovan characterized the employee's actions as "poor judgment" rather than illegal activity, responding to accusations from a former employee who alleged the conduct constituted an insider threat.
In a detailed blog post, Hanslovan stated, "In one particular exchange, our current teammate disclosed to a threat actor that law enforcement had reached out to them about the threat actor." This admission came after former Huntress security operations analyst Ben Folland publicly alleged that a current Huntress employee had passed communications from U.S. law enforcement directly to Devman, a ransomware operator believed to be operating from Russia and utilizing modified DragonForce code.
Folland, who departed Huntress in February, claimed that the employee was "caught by the FBI" and that their involvement with Devman posed a significant risk to Huntress's clients and reputation. "If you are an employee at a cybersecurity company, you should not be helping cybercriminals," Folland asserted, emphasizing that informing criminals about active investigations or engaging in such activities is unacceptable.
Initially, Hanslovan had publicly disagreed with Folland's accusations but refrained from providing specifics. However, his subsequent blog post offered a more detailed account, asserting his belief that the communications did not rise to the level of insider activity. "As a result of the investigation, my team implemented more robust policies for our researchers, coached teammates on engaging with threat actors, and took appropriate administrative actions," Hanslovan wrote.
Despite Hanslovan's assessment, Folland maintains his stance, arguing in a LinkedIn post that the communications clearly meet the definition of an insider threat. He alleged that the Huntress employee not only forwarded exact FBI communications, including screenshots with agent names, but also informed Devman that law enforcement was actively investigating him and refused to cooperate with the FBI's request for information on Devman.
According to Folland, the FBI itself notified him of this incident involving the current Huntress analyst. The Register's attempts to solicit comment from the FBI were unsuccessful. Folland further elaborated, "This was not just ‘poor judgment.’ This was a Huntress employee taking sensitive knowledge about a law enforcement approach and passing it directly to the person being investigated. If someone inside a bank warns a fraudster that police are investigating them, nobody would describe that as merely ‘poor judgment.’ They would call it what it is – an insider."
Huntress has stated that while they have not found evidence of illegal conduct, insider activity, or additional disclosures, their investigation is ongoing. The company has cited privacy rights for not commenting further on the specific administrative actions taken or the details of the ongoing probe, but has emphasized policy updates and coaching for its research team.