Full Report
Ex-employee claims this 'meets the definition of an insider threat'
Analysis Summary
# Incident Report: Insider Misconduct and Threat Actor Communication
## Executive Summary
A senior threat hunter at cybersecurity firm Huntress disclosed sensitive information regarding a federal investigation to an active ransomware operator ("Devman"). While the firm's CEO categorized the incident as "poor judgment" following an internal investigation, a former employee and the FBI have characterized the behavior as an insider threat. The incident resulted in the exposure of law enforcement reach-out efforts and specific agent identities to a cybercriminal.
## Incident Details
- **Discovery Date:** Late June 2026 (Public disclosure)
- **Incident Date:** Prior to February 2026 (Ongoing communication period)
- **Affected Organization:** Huntress
- **Sector:** Cybersecurity / Managed Detection and Response (MDR)
- **Geography:** United States / Russia (Threat Actor location)
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed (Long-term communication)
- **Vector:** Direct outreach/communication channels
- **Details:** A Huntress threat hunter maintained "questionable, long-term" communications with the ransomware operator known as "Devman."
### Lateral Movement
- **Details:** Not applicable in a traditional network sense; however, the analyst moved sensitive law enforcement inquiries from official channels to a direct line with the threat actor.
### Data Exfiltration/Impact
- **Details:** The analyst forwarded screenshots of FBI communications, including the names of federal agents, directly to the threat actor under investigation.
### Detection & Response
- **How it was discovered:** The FBI reportedly notified a Huntress analyst (Ben Folland) of the colleague's behavior; the matter was subsequently made public via social media posts by the former employee.
- **Response actions taken:** Huntress conducted an internal investigation, coached the teammate, implemented more robust researcher policies, and took undisclosed "administrative actions."
## Attack Methodology
- **Initial Access:** Trusted employee status (Insider).
- **Persistence:** Sustained long-term rapport with the threat actor.
- **Defense Evasion:** Use of personal or unauthorized communication channels to bypass corporate oversight.
- **Collection:** Gathering sensitive law enforcement inquiry data.
- **Exfiltration:** Direct transmission of law enforcement data via chat/comm platforms to the adversary.
- **Impact:** Compromise of an active law enforcement investigation and potential endangerment of agents and staff.
## Impact Assessment
- **Financial:** Potential loss of contracts due to trust concerns; costs associated with internal investigations.
- **Data Breach:** Disclosure of Law Enforcement Sensitive (LES) information and agent identities.
- **Operational:** Disruption of a federal probe into a ransomware group.
- **Reputational:** Significant public scrutiny regarding Huntress’s ability to manage insider threats and researcher conduct.
## Indicators of Compromise
- **Behavioral indicators:** Unsanctioned, secretive communication with known adversaries; refusal to cooperate with law enforcement requests regarding a specific target.
- **External indicators:** Feedback from federal agencies (FBI) regarding employee conduct.
## Response Actions
- **Containment:** Administrative actions taken against the employee (though employment was maintained).
- **Eradication:** Implementation of "robust policies" for researchers engaging with threat actors.
- **Recovery:** Public statements by the CEO to address reputational damage.
## Lessons Learned
- **Researcher Oversight:** Threat hunting roles require strict "Rules of Engagement" (ROE) when communicating with adversaries to prevent Stockholm Syndrome or unintentional collusion.
- **Notification Gaps:** The transition of information from law enforcement to the company must be strictly controlled to prevent "tipping off" suspects.
- **Insider Definition:** There is a thin line between "advanced research" and "insider threat" when a researcher’s loyalty shifts toward the subject of their study.
## Recommendations
- **Formalize ROE:** Establish a mandatory “Second Eye” policy for any communications with known threat actors.
- **Background/Vetting:** Conduct periodic insider threat behavioral assessments for employees in high-sensitivity research roles.
- **Data Guardrails:** Implement technical controls to prevent the screenshotting and external transmission of sensitive law enforcement correspondence.
- **Clear Disciplinary Framework:** Explicitly define "tipping off" an adversary as a terminable offense in employment contracts.