The Bored, the Brilliant, and the Inevitable Breach
“It’s extremely sad,” he wrote. “I’m just scared.”
Matthew Lane was 20 years old when his parents drove him to prison.
He had spent the journey texting a journalist.
A year earlier, a 19-year-old Matthew Lane had been one of the most dangerous people in the United States. He had breached PowerSchool, a platform used by 80 percent of school districts across the Northern US, exposing the personal data of 60 million children and 10 million teachers. The details of five-year-olds, which included Social Security numbers and medical records, what we term Sensitive Personally Identifiable Information (SPII), the kind of information that cybercriminals on the Dark Web buy and sell to the people who do unthinkable things, was stolen and ransomed 1.
He was not a criminal mastermind, not even a cybercriminal. He was a freshman at a small university in Massachusetts who had been doing this since he was 15.
Everyone who hears this story asks, “How was he caught?”, when they should be asking “How did he get started in the first place?”.
The problem with a brilliant, bored mind.
Matthew Lane admitted that he grew up feeling different, struggling with his mental health from an early age. He would later learn that he was autistic. School feels alienating for many students with this condition. So, it’s unsurprising that he didn’t fit in very well. So, he went online, and online, he found Roblox.
On Roblox, he discovered something that changed the direction of his life. People who cheat, the ones who manage to bend the rules of a game, reprogram it from the inside, make it do things it was not supposed to do. To most players like us, this is an annoyance. To Matthew, it was a puzzle, the kind his mind found almost impossible to leave alone.
This is not unusual behaviour. Cyberpsychology, the study of how human behaviour and psychology intersect with technology, has a well-documented profile for people who are drawn into hacking.2 High intelligence combined with low stimulation from conventional environments. An intense, almost physical attraction to complex problems in an online world. The everyday world moves too slowly, it is too clunky to appreciate. Give these people a system with a vulnerability in it, and that becomes their idea of utopia.
The neuroscience is relevant here because when a highly intelligent person solves a genuinely difficult problem, the brain releases dopamine, the same chemical involved in every addiction we experience.3 The reward is not just satisfaction, it is a neurological event, creating new pathways. Dopamine can often be released more than once in a cycle, first when the problem is solved and again as a feeling of relief at resolving a problem. Just like any addiction, the threshold is not static, it rises over time, so that what worked last time is not enough to release the same level of dopamine this time and the problems have to get bigger for more dopamine to be released.
Lane described it in his own words: “It’s indescribable the adrenaline you get when you do something like that. It’s way more than driving 120 miles per hour. Incomparable to any drug at all.”
He was not exaggerating for effect; he was only describing his own neurology in action.
How the screen removes the consequences
There is a concept in cyberpsychology called the online disinhibition effect. It describes what happens to ordinary human behaviour and restraint when a person moves their actions to the privacy behind a screen.
In the physical world, consequences are visible and immediate. You can see the person you affect and register their reaction. Social norms and the fear of judgement keep most people within certain social, legal, and moral boundaries. Online, those restraints loosen as the person you are affecting is not in the room. They are not real to any combination of the senses we use to interact with other humans. They are just data: another I.P. address, a company name, a reference in a ransom demand.
Lane had his reasons for not seeing it as a crime. For years he’d convinced himself the companies he was targeting would simply “get bailed out” by their insurance. They were big, faceless, they could absorb it, and nobody would actually be hurt. What Lane describes here is moral disengagement in action (Bandura, 1999), a cognitive trick of the mind that lets a person reframe real harm as acceptable, and it is exactly why building human cyber-resilience in the workforce now sits alongside technology as a primary line of defence.4,5
When this kind of thinking shows up as a pattern in cybercrime, researchers reach for a related framework called Neutralisation theory, which explains how ordinary people give themselves permission to break the rules.6 It works through a series of mental steps that happen so quickly, and feel so reasonable, that the person carrying them out often does not notice they are happening. What is unsettling, is that the same steps are usually taken by similar people in corporate environments with none the wiser.
The first step taken is usually to minimise the harm by saying things like, “It is just data, nobody gets physically hurt.”
Step two is to absolve themselves of the responsibility. “The company should have had better security. They left the door open. I’m actually helping them beef up security.”
The final step is to dehumanise the target. “It is a corporation, not a person. They have fancy lawyers and overpaid insurance. They will be fine.”
What stays invisible behind the screens is the tech team working punishing hours through the night, trying to contain damage they didn’t cause. The parents on a phone call they will never forget, being told that their five-year-old’s medical records are now somewhere on the internet. The teacher sitting across from those parents the next morning, wondering not only whether the child will be safe, but whether their own credit is about to collapse now that their identity has been leaked alongside everyone else’s, or the school whose reputation is ruined, possibly affecting their income, and all the people that they employ.
The thought finally dawned on Matthew, two days before he was incarcerated, he said, “I think about IT staffers with families who had to work overtime to clean up after my mess”. Unfortunately, this moment of clarity arrived far too late.
The community that nobody warns us about
Matthew did not become radical on his own, nobody ever does.
The hacking forums he found as a child were not just places to learn techniques. They were communities, and they did what communities do. They offered belonging, nurtured through status and mentorship, offering a clear ladder to climb, and visible proof of what success looked like. Photographs of people who had done what he was about to do were posted, pictures of them next to stacks of cash, wearing designer clothes, and driving expensive cars.
For any teenager who feels like an outcast at school, this is a life-changing event. For Matthew, it was the first place that made sense. Others around him spoke a language he finally understood and valued him for his abilities. The psychological pull of being accepted by a collective for a young person who is used to being socially awkward is not something that an online advert, or school talk can prepare kids and parents for.
Online disinhibition effect is compounded in communities where this kind of activity is seen as a skill and not a crime. The behaviour that is appreciated and accepted in the online community began to replace the strict rules of the outside world that were difficult to understand and limiting.
Fergus Hay, who runs a European organisation working to redirect young hackers into legitimate cybersecurity careers, describes how recruitment happens in those spaces: “The bad guys are on all the platforms watching the kids playing. And when they see an elite-level performer, they go approach that kid, masquerading as another kid.”7
Where does it end?
Matthew was given four years in federal prison. The victims of his crime will carry the consequences of his actions for the rest of their lives, never knowing if the information taken from them will quietly resurface years from now, in a fraud attempt, a stolen identity, a loan they never applied for.
A slow decline from misunderstood teen on Roblox to federal prisoner, led by a series of unfortunate events. A lack of knowledge on the part of his parents. A general lack of information about how young hackers are recruited and groomed inside the platforms their children use every day.8 And a long run of questionable decisions by Matthew himself, made inside an environment quietly working against him.
Why is this suddenly an important topic for your organisation?
The same mechanisms that pulled Matthew Lane into a federal prison cell are quietly at work inside every organisation with a screen in it.
The disinhibition that made Matthew’s targets feel unreal is the same force that lets an employee send client information over WhatsApp or change banking details without verifying. The reward loop that conditioned Matthew through acceptance and reinforcement is the same loop that trains employees to respond first and verify later. The community that replaced his moral compass is the same culture that quietly normalises shared passwords, shared OTPs, and shortcuts nobody questions. And the rationalisation that told Matthew, “Their insurance will pay it” is the same voice that tells an employee, “Just this once” or “I’m saving time.”
At Cyber Dexterity, cyberpsychology sits at the centre of everything we do. It threads through the content we write, the games and interactions we design, the courses we build, and the conversations we have with clients during training sessions. It is not a label we attach at the end for social credit. It is the lens we work through from the start.
Most awareness training assumes employees do the wrong thing because they did not know better. But Matthew knew, your finance manager knows, and your DevOps engineer knows. The gap is not knowledge, it is the psychology that overrides the knowledge in the moment of decision, and it is the very thing we work to uncover so that we can design for and help build a culture of resilience that changes behaviour.
The organisations best placed to prevent the next breach, the next insider incident, the next quiet failure of judgement, are not the ones with the best firewalls. They are the ones where culture is cultivated to slow down before pressure forces a decision, to think critically about whether the request, the shortcut, or the rationalisation actually fits the way work is meant to be done, to observe the patterns that show up long before an incident does, and to prove what they are seeing through a separate, trusted channel before acting on it.
Basil Polydorou – Head of Learning Solutions | BsC Cyber Psychology Candidate
References
Aptel, Cécile, and Miles Hastie. Children’s Recruitment and Use in Cyber-Operations. 27 March 2026. https://www.unicef.org/innocenti/stories/childrens-recruitment-and-use-cyber-operations.
Bandura, Albert. ‘Mechanisms of Moral Disengagement’. In Origins of Terrorism: Psychologies, Ideologies, Theologies, States of Mind, edited by Walter Reich. Woodrow Wilson Center Series. Woodrow Wilson International Center for Scholars ; Cambridge University Press, 1990.
Chng, Samuel, Han Yu Lu, Ayush Kumar, and David Yau. ‘Hacker Types, Motivations and Strategies: A Comprehensive Framework’. Computers in Human Behavior Reports 5 (March 2022): 100167. https://doi.org/10.1016/j.chbr.2022.100167.
Hwang, Jiyeon, Hwansoo Lee, Keesung Kim, Hangjung Zo, and Andrew P. Ciganek. ‘Cyber Neutralisation and Flaming’. Behaviour & Information Technology 35, no. 3 (2016): 210–24. https://doi.org/10.1080/0144929X.2015.1135191.
Joinson, Adam N., Matt Dixon, Lynne Coventry, and Pam Briggs. ‘Development of a New “Human Cyber-Resilience Scale”’. Journal of Cybersecurity 9, no. 1 (2023): tyad007. https://doi.org/10.1093/cybsec/tyad007.
Knowles, Jason. ‘Gen Z Hacker “thankful That I Got Caught” after Student Data Breach Hits Thousands in Chicagoland’. Crime-Safety. ABC7 Chicago, 14 April 2026. https://abc7chicago.com/post/gen-hacker-matthew-lane-thankful-got-caught-powerschool-student-data-breach-impacts-thousands-chicago-area/18881929/.
Levine, Mike. ‘“Addicted to Hacking”: Young Hacker behind Historic Breach Speaks out for 1st Time, before Reporting to Prison’. ABC News, 14 April 2026. https://abcnews.com/US/addicted-hacking-young-hacker-historic-breach-speaks-1st/story?id=131855776.
Taber, Katherine H., Deborah N. Black, Linda J. Porrino, and Robin A. Hurley. ‘Neuroanatomy of Dopamine: Reward and Addiction’. The Journal of Neuropsychiatry and Clinical Neurosciences 24 (January 2012): 1–4. https://doi.org/10.1176/appi.neuropsych.24.1.1.
U.S. Attorney’s Office, District of Massachusetts. ‘Worcester College Student Sentenced to Four Years in Prison for Cyber Extortions’. United States Department of Justice Press Release, 13 November 2025. https://www.justice.gov/usao-ma/pr/worcester-college-student-sentenced-four-years-prison-cyber-extortions.
Wilton, Pete. ‘Aha! Moments Linked to Dopamine-Producing Regions in the Brain’. Goldsmiths, University of London, 26 April 2018. https://www.gold.ac.uk/news/aha-moment-dopamine/.