On a recent Tuesday morning, as his parents were driving him to the federal prison in Connecticut where he’ll be locked up for the foreseeable future, 20-year-old Matthew Lane sent a text message to ABC News.
“It’s extremely sad, and I’m just scared,” he wrote.
Barely a year earlier, while still a teenager, he helped launch what’s been described as the biggest cyberattack in U.S. education history — a data breach that concerned authorities so much, it prompted briefings with senior government officials inside the White House Situation Room.
The breach pierced the education technology company PowerSchool — used by 80% of school districts in North America — and “put at risk the security of 60 million children and 10 million teachers,” the Justice Department said.
With threats to expose social security numbers, dates of birth, family information, grades, and even confidential medical information, the breach cornered PowerSchool into paying millions of dollars in ransom.
“I think I need to go to prison for what I did,” Lane told ABC News in an exclusive interview, speaking publicly for the first time about the headline-grabbing heist and his life as a cybercriminal.
“It was disgusting, it was greedy, it was rooted in my own insecurities, it was wrong in every aspect,” he said in the interview, two days before reporting to prison.
Matthew Lane looks out a window in Worcester, Massachusetts, two days before reporting to federal prison.
ABC News
Lane is just one example of what cybersecurity experts, authorities and even Lane himself say is a wide-ranging menace: a new generation of tech-savvy teenagers who are uniquely dangerous and surprisingly young.
“We’ve worked cases where individuals as young as 14 are being interviewed by the FBI,” said Supervisory Special Agent Doug Domin, who oversaw the PowerSchool investigation out of the FBI’s Boston field office.
Members of Generation Z — who have had digital devices and the Internet in their lives since birth — are particularly vulnerable to the allure of cybercrime because the social media platforms they inhabit can glorify “a criminal lifestyle”; the gaming platforms they frequent can boost their “hacker skill sets”; and the technology used for hacking is “so available,” according to Fergus Hay, the CEO of a European-based group called “The Hacking Games” that’s now working to keep kids around the world out of cybercrime.
“So a young person with less technical skills can do more damage than a previous generation,” Hay said.
In September, authorities arrested a boy from Illinois who in 2023, at age 15, allegedly launched a devastating cyberattack on Las Vegas casinos that reportedly cost MGM Resorts alone more than $100 million. He is awaiting trial.
The same month, the Justice Department announced the overseas arrest of a 19-year-old British national who, starting at age 16, allegedly helped a notorious international cybergang hack into the networks of nearly 50 U.S. companies and more than 60 others around the world, extorting them out of $115 million in total. He has yet to be extradited.
Fergus Hay, the CEO of The Hacking Games, speaks to high school students in Manchester, England.
ABC News
Hay and his group of entrepreneurs and cybersecurity experts, which includes a former FBI agent, say they’re so concerned about what could be coming next that they’ve launched an education and media campaign targeting Generation Z, backed by a testing platform they developed to identify what they say is often-overlooked talent for the cybersecurity field.
“You’ve got this whole young generation who are like free-range chickens out there,” Hay said. “Under no guidance, they can fall into really, really bad habits. Under the right guidance, you can take this generation and use their skills [positively].”
For Lane, such intervention came too late.
“I couldn’t stop,” he said of his cyber crimes. “I was addicted to hacking.”
‘That’s how I fell into it’
According to Lane, his story began on Roblox, the colossal online gaming platform popular with children and teens.
As he remembers it, by the time he was 9 or 10 years old, he was struggling with his mental health and what he later would learn was autism. He said he felt “different” and like “an outcast” at school, so he found “solace” on Roblox.
But on Roblox he also found cheaters — people who could reprogram games to gain an advantage — and he wanted to figure out how to do that too, he said.
That led him to a world of online “hacking forums,” where accomplished hackers not only share trade secrets but also sell vast databases of stolen information — including hijacked usernames and passwords — and even brag about their digital misdeeds, Lane said.
They also praise each other — offering a dangerous “sense of camaraderie,” Lane said — and they post photos and videos of themselves playing with stacks of cash, expensive cars, and other tainted luxuries.
Matthew Lane is seen showing off jewelry in a screengrab from a video he made in his freshman year of college.
Matthew Lane
“You see this lavish, luxurious lifestyle,” Lane recalled. “As a young kid you’re like, ‘I’m gonna do that.’ And that’s how I fell into it.”
Lane and others warn that online forums also attract criminal groups seeking to recruit potential hackers.
“The bad guys are on all the platforms watching the kids playing,” Hay said. “And when they see an elite-level performer, they go approach that kid, masquerading as another kid, and they go, ‘Hey, you want to earn some [money]? … Here are the tools, here are the techniques.'”
In a statement to ABC News, Roblox noted that cybercrime is “an industry-wide challenge” and said that the gaming platform routinely reports cyber-enabled crime to law enforcement. Roblox also said it is using “cutting edge anti-cheat systems” to stop cheating on its platform.
On Monday, Roblox announced that, starting in June, it will offer age-checked accounts for younger users that limit what games they can play, and add “more closely align content access, communication settings, and parental controls with a user’s age.”
‘Incomparable to any drug’
Lane said he was a prolific cyber criminal by age 15, and usually directed his cyberattacks toward “big, big” targets.
“I would just search ‘Top Fortune 500 companies,'” he said with an anxious laugh.
He said that 90% of the time, he and others he worked with gained “initial access” to a target’s system by using a “specially-curated tool” that Lane helped build, which could identify vulnerabilities on a website.
Once inside a target’s system, he and the others would “spread our resources to each part of the website or company,” secretly stealing whatever data they could, he said.
“And then [the final step] is ransom,” he said.
According to Lane, he spent his “ill-gotten gains” on designer clothes, diamond jewelry, DoorDash deliveries, Airbnb rentals for him and his friends, and drugs — “lots of drugs.”
He said he would numb ever-present feelings of guilt with drugs — from high-potency marijuana to acid. But it was hacking that gave him the strongest high.
“It’s indescribable the adrenaline you get when you do something like that,” he said. “It’s way more than driving 120 miles per hour. … Incomparable to any drug at all, as well.”
Lane said he was in a dangerous and “disconnected” spiral, convincing himself over and over again that at some point he would either “end up dead” or figure out a way to make himself stop — “and I didn’t do either of those.”
‘Destroy your company’
By the fall of 2024, Lane found the source of his next fix: Credentials stolen from a PowerSchool contractor were available online.
They were a gateway to a global powerhouse, with PowerSchool operating in about 90 countries around the world. PowerSchool had become so influential that in 2023, its CEO was invited to speak at the White House during an event promoting cybersecurity in education.
According to court documents, Lane used the contractor’s credentials to rummage through PowerSchool’s systems undetected, and he leased a server in Ukraine, where an alleged co-conspirator eventually transferred significant amounts of student and teacher data.
Then, in late December, PowerSchool received a series of threatening messages claiming to be from a global cybercrime syndicate. The threats vowed to release the sensitive personal information of tens of millions of students — some as young as 5 — if PowerSchool didn’t pay nearly $3 million in cryptocurrency.
In this screen grab from Google Maps Street View, PowerSchool headquarters is shown in Folsom, Calif.
Google Maps Street View
“[W]e fully intend to destroy your company … if the ransom is not paid,” said one message. But the messages also assured PowerSchool that the stolen data would be erased once the ransom was paid.
So PowerSchool paid the ransom, saying later that it was a “very difficult” decision but that “it was our duty” to try to keep the data from being made public.
According to a PowerSchool spokesperson, “not all” of PowerSchool’s customers “were affected” by the breach. But the spokesperson declined to say how many people were impacted.
‘FBI! We have a search warrant‘
The breach became public in early January 2025, after PowerSchool began notifying certain school districts about it and parents across the country started receiving warning letters about the breach from their children’s schools.
The FBI’s Cyber Task Force in Boston, meanwhile, was devoting most of its resources to uncovering who was behind the breach, according to Domin, the head of the task force.
Within weeks, the FBI figured out at least one of them: a 19-year-old freshman at Assumption University in Worcester, Massachusetts.
At about 6:30 on a Tuesday morning last April, FBI agents started banging on the door of Lane’s second-floor dorm room. “FBI! We have a search warrant,” Lane recalled them shouting.
They seized his devices and many of the luxury items he bought with “dirty” money, as he put it. He said he felt a “wave of relief.”
“I’m honestly thankful for the FBI,” he said. “After they left, I was like, ‘It’s over … I’m done with this.'”
But those impacted by the breach were hardly done with it.
A week after the FBI search, school districts in North Carolina and as far north as Canada started receiving a new round of threatening messages, using some of the same previously-stolen data to extort the schools.
FBI Supervisory Special Agent Doug Domin is seen at the FBI’s Boston field office.
ABC News
It turned out that — despite earlier assurances to the contrary — what one state official described as a “rogue actor” tied to the original breach secretly kept some of the data. Lane said he didn’t know about that.
Domin said those affected by the original breach “will have to mitigate this issue for their entire life.”
“They’re going to be re-victimized every time that dataset show up in the wild,” he said.
In the wake of the breach, PowerSchool offered two years’ worth of credit-monitoring and identity protection services to concerned customers.
“PowerSchool takes the responsibility to protect student data privacy and to act responsibly as data processors to schools and districts extremely seriously,” the company’s spokesperson said.
In his interview with ABC News, Lane said he now appreciates how much his actions impacted real individuals — not just faceless companies that he thought would “get bailed out” by insurance.
He said he thinks about IT staffers with families who had to work overtime to “clean up after [my] mess.”
In June, Lane pleaded guilty to unlawfully accessing PowerSchool’s computers and to three other federal charges, including cyber extortion, stemming from a separate breach. A federal judge in Massachusetts sentenced him to four years in federal prison and ordered him to pay more than $14 million in restitution.
‘Like a gun’
During Lane’s sentencing hearing in November, the judge issued a stark warning about young people: “If we put the computer in their room, the phone in their hand, it’s like a gun,” U.S. District Court Judge Margaret Guzman said.
The judge said society must find a way to “help our children … use computer technology in ways that are helpful to society.”
That’s exactly what The Hacking Games, the European-based group of entrepreneurs and cybersecurity experts, is trying to do, with a focus on Generation Z — especially those who are neurodivergent like Lane.
“Neurodiversity is so interesting because it’s often been seen as a handicap,” Hay said. “[But] neurodivergent people … see solutions to puzzles that other people don’t see.”
According to Hay, The Hacking Games has developed “the world’s first” artificial intelligence-backed aptitude test that ties gaming prowess and neurodiversity to cybersecurity skills, in an effort to identify future industry experts. It’s called the “Hacking Aptitude AI Platform,” or “HAPTAI.”
“We’re looking at the wrong things,” Hay said of the cybersecurity industry. “What we’re not looking at is, ‘How good are you at gaming? How good are you at hacking those games? How neurodivergent are you?. … None of that data lives on LinkedIn. None of that data is in resumes.”
But those are just the types of new hires who can help technology companies, intelligence agencies, and financial institutions “build their walls higher,” Hay said.
Roblox said it has hired “several young people” to help secure its systems after they participated in another program, run by the San Francisco-based cybersecurity company HackerOne, that pays cyber-skilled operators of all ages to identify security gaps on certain public-facing websites.
Experts and authorities also agree that parents must play an important role in keeping teen gamers away from cybercrime.
“Parents need to understand what their kids are accessing, what platforms they’re on, putting barriers up, putting timers on technology,” Domin, the FBI official, said.
But Hay insisted that parents need to do more than just watch what their children are doing.
“You’ve got to get in there and game with them,” he said. “In the same way you might take your kids out to the park to go and play soccer, or throw a ball, you’ve got to get it in there and game with them, because then you’ll understand their culture, how they talk to their friends, [and] who’s talking to them.”
In this June 6, 2025, file photo, Matthew D. Lane of Sterling leaves the U.S. District Courthouse in Worcester, Mass.
Brad Petrishen/The Worcester Telegram & Gazette via USA Today Network via Imagn Images, FILE
As for Lane, he said he wants to be “a cautionary tale” for others.
“I hope I can convince at least one person not to go down my path,” he said. “Even if it’s one person, I’d be happy, honestly.”
Lane told ABC News that after working to improve himself in prison, including by undertaking therapy and advancing his education, he hopes to one day work in cybersecurity.
In a message from prison last week, he said that in the past three months behind bars, “I have made more progress regarding the improvement of my mental health [and] overall being … than I have in the past 6 years.”
“I was given a second chance at life,” he said.
Meanwhile, Domin said the investigation into Lane’s co-conspirators “is ongoing.”
ABC News’ Zoe Chevalier contributed to this report.
