On June 6, 19-year-old Matthew D. Lane pleaded guilty in federal court in Massachusetts to one count each of conspiracy to commit cyber extortion, cyber extortion, unauthorized access to protected computers, and aggravated identity theft. The first two charges were related to an unnamed telecom company identified as “Victim 1.” The third and fourth charges related to “Victim 2,” widely known to be PowerSchool. PowerSchool’s massive data breach in 2024 had impacted more than 60 million students and 10 million school district employees across the country.
Although we learned some details about the PowerSchool breach in Lane’s case, there is still much that we do not know. A re-reading of the original Information and Lane’s plea deal enabled us to spot some of what is missing, however:
Lane was not charged with conspiring to cyber extort or cyber extorting PowerSchool in December 2024. Lane was only charged with hacking PowerSchool and with aggravated identity theft for misusing the login credentials of a contractor’s employee to gain access to PowerSchool. The Information was carefully worded: “On or about December 28, 2024, Victim 2 received a ransom demand.” It never states that Lane caused it, wrote it, or sent it.
Why wasn’t Lane charged with conspiracy to cyber extort and cyber extortion of PowerSchool?
Lane was not charged with conspiracy to cyber extort or cyber extorting PowerSchool clients in May 2025, and there is no mention of the May 2025 extortion attempt in the court filings at all.
Why wasn’t Lane charged with conspiracy to cyber extort and cyber extortion of PowerSchool clients in May 2025?
We’ll consider both of those questions below.
What Do We Really Know About the December Extortion?
Pretty much, nothing. PowerSchool publicly admitted that they paid ransom in the December 2024 attack. They never revealed how much they paid of what was reportedly an initial demand of $2.85 million in BTC. And importantly, they never publicly revealed who sent them the extortion demand and from what email address, despite repeated requests that they reveal that information. That information would help identify the threat actors and warn other entities about them. Although the CrowdStrike investigation report, which was made public, provided some information on the attack and IOCs, the report did not address the extortion part of the incident.
At some point, people began mentioning “ShinyHunters” as being responsible for the breach. The basis for their statement was not revealed and so it was not possible to determine if they were attributing the hack to ShinyHunters, the extortion, or both, and why.
Lane pleaded guilty to hacking PowerSchool. That doesn’t rule out the possibility that he had help or a co-conspirator in hacking them, even if no co-conspirator was specifically mentioned in the court filings. And it doesn’t rule out the possibility that he had help extorting PowerSchool. But there has been no evidence presented to support a claim that ShinyHunters was responsible for hacking PowerSchool, and there has been no evidence presented to support a claim that ShinyHunters was responsible for extorting PowerSchool in December 2024.
But could Lane have had help extorting PowerSchool, and could any such help been provided by ShinyHunters?
According to court records, Lane was frustrated that he hadn’t secured a bigger payment from the telecom and wanted to find a company that would make a big payment. It would not be surprising if he sought help achieving that goal and that he might reach out to ShinyHunters. ShinyHunters and Lane were both in BreachForums, where Lane was known as “g0re” (“g0retrance”). ShinyHunters, who was the owner of BreachForums has been active on forums since 2020 and has been known to offer their services to sell stolen data or to extort victims and handle negotiations (what we might call an “Extortion-as-a-Service” model where they take a percentage of any ransom paid).
But did Lane and ShinyHunters conspire to extort PowerSchool? There is no hard evidence to enable us to conclude that ShinyHunters was involved in the extortion. [If the extortion demand that PowerSchool received in 2024 came from a known ShinyHunters email address and was signed “ShinyHunters,” that would be relevant evidence. But we don’t know because PowerSchool has not been transparent.]
As Jon DiMaggio has written, attribution is hard and needs to rooted in evidence, and not feelings or just suspicions. And if we adhere to that standard, we recognize that there has been no evidence presented that supports attributing the extortion of PowerSchool in 2024 to ShinyHunters or to Lane and ShinyHunters working together.
What Do We Really Know About the May 2025 Extortion?
On or about May 6, 2025, the North Carolina Department of Public Instruction and some PowerSchool district clients received extortion demands. The lengthy demand email, which DataBreaches obtained a text copy of, appeared to involve the same data as the 2024 incident. The email began:
Hello, we are ShinyHunters.
We are contacting IT personnel and administrators across North Carolina school districts and the Department of Public Instruction to inform you that a significant databreach of NC School District systems across the state has occurred. As a result, student and teacher records from all districts have been compromised.
The email contained a listing of data types, schools, with samples and offers of larger samples on request, all intended to convince the recipients that the sender was in possession of all of the data, and there would be serious consequences if the victims did not pay.
You have 72 hours to comply with the following:
Send a representative/negotiator that represnts the entierty of North Carolina to negotiate this settlement with us.
25 Bitcoin (BTC) to be paid to the following address: bc1qpzt8et39w3texfn0r7jt6fjkz2khdarnwskqpk
(Note: The amount is negotiable, but the payment must be made promptly.)
Failure to meet these demands will result in the public release of the compromised data.
The email was sent from [email protected] and contained a Tox ID for victims to use to contact the sender about payment or payment negotiations.
“IntelBroker” is the alias of a well-known blackhat hacker who has been involved in some high-profile hacks. He was also the nominal owner of BreachForums after ShinyHunters stepped down as owner. But as far as DataBreaches knows, IntelBroker was not actually a member of ShinyHunters, and anyone could have created a Protonmail account called “Intelbrokers” to suggest that the email came from IntelBroker and that he was part of ShinyHunters. This was not compelling evidence.
While the email address didn’t prove that the email really came from IntelBroker or ShinyHunters, neither did the Tox ID provided in the email for negotiations. When DataBreaches recently sent a friend request to that Tox ID, it responded with a “Hello” from “shinycorp.” But again, anyone could create a Tox ID and call themselves anything. This, too, was not hard proof of ShinyHunters’ involvement. The Tox account has been offline since DataBreaches sent a message after receiving the “Hello.”
Attempts to reach ShinyHunters to request comment on the allegations were unsuccessful as any of their former email addresses, jabber accounts, and Telegram accounts that DataBreaches knew all seem dead or deleted.
Analysis of Motive to “Double-Dip”
When considering the May 2025 extortion attempt, perhaps we could have started our analysis by asking whether Lane would even try to “double-dip,” i.e., try to extort victims after he had already been paid by PowerSchool.
The forfeiture part of Lane’s plea agreement lists a figure of almost $161,000 to be forfeited as proceeds of his criminal activity in the two cases (the unnamed telecom and PowerSchool):
Defendant admits that $160,981 is subject to forfeiture on the grounds that it is equal to the amount of proceeds Defendant derived from the offense. Defendant acknowledges and agrees that the amount of the forfeiture money judgment represents proceeds the Defendant obtained (directly or indirectly), and/or facilitating property and/or property involved in, the crimes to which Defendant is pleading guilty
We know from court filings that Lane received $ 75,000 or less from the unnamed telecom. Doing the math, then, he seemingly received about $85,000 or more from PowerSchool. That amount is so low compared to the initial demand amount that it might represent just his share of the ransom if he had a co-conspirator handling the extortion who took a bigger percentage.
But would Lane really try extorting clients on May 6? DataBreaches does not know the date of any raid or arrest of Lane, but he signed the plea agreement on May 20. DataBreaches thinks it’s unlikely that Lane would still have been in possession of his devices or would be risking further charges by trying a new extortion campaign on May 6 if his attorney was already working to get him a plea deal.
DataBreaches also learned that the BTC wallet that was used for the May 6 re-extortion attempts was active as recently as June 4. Four deposits totaling 10.14 BTC were made to it on June 4 and 10.14 BTC was then transferred out on June 4. That was approximately $1 million in and out on June 4. Who would have or could have moved funds from that wallet on June 4? It’s unlikely to have been Lane, who had already signed his plea deal by then, unless he was doing so at law enforcement’s instruction. And who were the payments from? Were they from PowerSchool clients or some targets totally unrelated to PowerSchool?
Was someone still using that wallet but for other purposes now? We simply don’t know.
Could ShinyHunters be the May 6 extortionist, as the email claimed? Perhaps, but there is no hard evidence to support that hypothesis, and sources knowledgeable about ShinyHunters state that they have never known ShinyHunters to double-dip.
Conclusion
This post will be updated if more information becomes available. We continue to hope that PowerSchool will do what law enforcement recommends victims do — share information so others learn and can be warned. PowerSchool knows what email account sent the original demand and they know how communications were signed. They should tell us.
For now, we simply note that the plea agreement Lane reached has an important exclusion clause:
“This Agreement is only between Defendant and the U.S. Attorney for the District of Massachusetts. It does not bind the Attorney General of the United States or any other federal, state, or local prosecuting authorities.”
Will we eventually see Lane charged with conspiracy to extort and extortion of PowerSchool in another case? It’s possible, and maybe that’s why he wasn’t charged with conspiracy to cyber extort and cyber extortion in this case. There may be another case somewhere waiting for him – one that involves an as yet unnamed co-conspirator who will be charged with extorting PowerSchool. Double jeopardy wouldn’t attach for extortion charges for Lane because they weren’t charged in this case.
Finally, DataBreaches anticipates that there will be some people who think this site is defending ShinyHunters or supporting them. This site is simply adhering to the standard that attribution should be rooted in evidence that we can all look at and agree on.
If anyone has relevant information and evidence, please contact this site.