Former Huntress Analyst Alleges Insider Leaked Information to Ransomware Criminal
Former employee accuses company of prioritizing pending IPO over client security
By The Register
Cybersecurity firm Huntress has denied an “insider” narrative after a former employee claimed a colleague passed information to a ransomware criminal.
Cybersecurity company Huntress is facing public allegations from a former employee who claims a company insider shared information with a ransomware criminal.
The claims were made by former Huntress security operations analyst Ben Folland, who left the company in February.
According to The Register, the allegations surfaced after Huntress disclosed it was among hundreds of customers affected by a separate supply-chain attack involving Klue, a customer intelligence platform.
Folland’s claims do not relate directly to the Klue incident. Instead, they concern an earlier matter which he says he discovered in December 2025.
In posts shared on LinkedIn, the former analyst alleged that another Huntress employee had passed communications from US law enforcement to a cybercriminal linked to DevMan.
DevMan is described by security researchers as a ransomware operation that first emerged in 2025 and has used modified DragonForce ransomware code.
Folland also alleged that Huntress had tried to conceal the incident from partners, customers and employees, claiming the company was more focused on a possible IPO than transparency.
The claims have triggered discussion across social media and cybersecurity forums, partly because Huntress is itself a security company trusted by businesses and managed service providers.
Huntress has rejected the suggestion that it prioritised a public listing over the safety of customers or partners.
Chief executive Kyle Hanslovan told The Register that a former employee had raised concerns that a teammate had shown poor judgment when communicating with a cybercriminal.
He said security researchers sometimes need to communicate with suspected cybercriminals to gather intelligence that can support customers and partners.
The company said it had taken the concerns seriously, but also had a responsibility to protect confidentiality around employees and an ongoing investigation.
In a separate response on Reddit, Hanslovan said Huntress strongly disagreed with the “insider” narrative and said the company did not prioritise an IPO over the safety of its partners, customers or team.
He also said some aspects of the matter involve active coordination with law enforcement and legal proceedings, which limited what the company could say publicly.
The Register said it contacted Folland for more information but did not receive a response.
The situation remains unresolved publicly, with allegations made by a former employee and a firm denial from the company.
For businesses, the case highlights a sensitive issue in cybersecurity: security researchers may sometimes communicate with criminals or suspected criminals to gather intelligence, but those interactions need strict controls, documentation and oversight.
That distinction is important. Contact with a threat actor can be part of legitimate threat intelligence work, but sharing sensitive information or interfering with law enforcement activity would be a far more serious matter.
At this stage, no public finding has confirmed the former employee’s allegations.
The dispute also shows how reputational risk can escalate quickly for cybersecurity firms, especially when claims are made publicly by former staff and then discussed across social media.
For small businesses and managed service providers that rely on external security vendors, the practical lesson is to ask clear questions about incident disclosure, internal access controls, staff vetting and how threat-intelligence work is governed.
Cybersecurity companies often ask clients to trust them with sensitive systems and data. That makes transparency, governance and careful handling of internal investigations especially important.