A Huntress Analyst Says a Colleague Tipped Off a Ransomware Crew

The strangest insider-threat story of the year is not about a leaked database or a planted backdoor. It is a public argument between a security company and one of its own former analysts, and it is playing out on social media in real time.

As reported by The Register, Ben Folland, a former security operations analyst at Huntress, alleges that a colleague leaked communications from US law enforcement to a ransomware operation called DevMan, a crew he says has been publicly targeting him and his family. Huntress disputes the characterization. Nothing here is settled, and we are not going to pretend otherwise. But the questions the episode raises are worth a defender's attention even before the evidence lands.

What is actually being claimed

The clearest artifact so far is Folland's own resignation email, dated 29 December 2025, which he later shared publicly. In it he gives formal notice, thanks the team, and then states his reason for leaving: a "conflict of interest that arose from a discovery that on December 20th, another Huntress employee passed communications from US law enforcement to a cybercriminal, DevMan, who is actively and publicly targeting my family and me." His last day was set for 19 February 2026.

DevMan is a real and recent ransomware brand. The operation surfaced around April 2025 running a modified build of DragonForce's ransomware, and Folland says it has named him directly. On 25 June 2026 he took the accusation public, punctuating it with a Pinocchio GIF and a clown emoji aimed at his former employer, and promised to publish supporting material within roughly two weeks: law-enforcement correspondence, the employee-to-criminal exchanges, recorded calls, internal memos, and the threats made against his family.

How Huntress responds

Huntress co-founder and CEO Kyle Hanslovan has not stayed quiet. His account, per The Register and his own public comments, is materially different: a former employee "raised concerns that a teammate exercised poor judgment," which is not the same as a teammate feeding intelligence to an extortion crew. He has pointed out that threat researchers sometimes have to communicate with suspected cybercriminals to gather intelligence, and that those interactions are deliberately kept confidential to protect investigations. On Reddit he said plainly that he "firmly disagrees" with the insider-threat narrative.

That tension is the actual story. One side says an insider helped a criminal who is hunting my family. The other says a researcher engaged a criminal as part of the job, and a colleague misread it. Both descriptions can be sincerely held, and the gap between them is exactly where the security questions live.

The transparency angle that made it spread

The accusation did not land in a vacuum. In the same window, Huntress disclosed it was among the hundreds of organizations swept up in the breach of Klue, a market-intelligence platform, when a threat actor exfiltrated data from Klue customers' Salesforce accounts. By Huntress's account the exposed data was sales-related (business contacts, price quotes, messaging) and did not touch agent telemetry, passwords, or payment data. Huntress wrote it up publicly and framed it around the company's belief in "radical transparency about security incidents, including when it affects our company."

That line became the lever. Folland and others quote-tweeted the breach write-up and pointed out the obvious irony: a company praising its own transparency about an external breach was, at the same moment, being accused of a far more serious internal problem it was not being transparent about. Whatever the facts turn out to be, "radical transparency" is a high bar to set publicly, and the internet noticed the gap.

What defenders should take from this, regardless of who is right

You do not need a verdict to act on the lessons. Strip out the personalities and the same four issues apply to any security team.

• Insider access is your highest-trust attack surface. A SOC analyst already holds the keys: case data, victim identities, law-enforcement contacts, active investigations. The control is not suspicion of your people, it is least-privilege and logging that make sensitive actions reviewable after the fact, so "poor judgment" and "deliberate leak" are not indistinguishable in the record.
• Researcher-to-criminal contact needs a paper trail, not just trust. If your team engages threat actors for intelligence, that contact should be authorized, logged, and supervised through a defined channel. The goal is not to stop the contact, it is to make sure no one ever has to take a single analyst's word for what was said and why.
• Counterparty risk includes your own vendors and platforms. The Klue breach is the quiet, universal lesson here: Huntress did not get breached through its product, it got exposed through a SaaS platform it used like everyone else. Your CRM, your sales-intel tools, and your support systems are all part of your blast radius.
• Transparency is a posture you have to be able to keep. Promising "radical transparency" is cheap when the news is a third party's fault and expensive when it is your own. Decide your disclosure standard before you need it, and apply it to the incidents that embarrass you, not just the ones that do not.

Bottom line

We are not here to convict anyone over a tweet and a Pinocchio GIF. The allegations are unproven and Huntress contests them. But the value for defenders does not hinge on the verdict: insider access, the ethics and logging of researcher-to-criminal contact, third-party breach exposure, and the cost of your own transparency promises are live risks in every security organization, including the ones whose job is hunting threats for everyone else. Watch how this resolves, and in the meantime, make sure your own house could survive the same set of questions.