In November 2021, when “g0retrance” defaced the website of the Massachusetts Interscholastic Athletic Association (MIAA) with a message saying “PWNED,” the hacker, who also used the moniker “netsaosa,” left a message under it “should have listened to my emails instead of ignoring me … don’t worry, this is harmless. just to get ur attention :)”
Boston.com reported that the hacker’s self-described intent was simply to get MIAA’s attention:
“I didn’t hide myself on purpose because I just literally wanted to talk to them about this,” g0retrance wrote to Boston.com. “I wanted to help but was ignored.”
DataBreaches noted the incident at the time, and then kept an eye on g0retrance when he would post on forums such as RaidForums and BreachForums.
Now, almost four years later and just days before he is sentenced for hacking an unnamed wireless telecommunications firm and PowerSchool, DataBreaches idly wonders if the teenager who is being characterized as a “sophisticated cyberattacker” by age 19 might have pursued more lawful and “white hat” ways of getting attention and helping with his computer skills if MIAA had responded to his emails.
No, DataBreaches is not blaming MIAA for Matthew Lane’s crimes. Lane is responsible for those and has accepted responsibility for them in his plea agreement. But were there points at which different responses to his activities might have made a significant difference?
On June 6, Lane pleaded guilty to one count each of cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft. In its sentencing memorandum (embedded below), the government seeks a sentence of 84 months in prison, 36 months post-prison supervised release, more than $14 million in restitution (mostly for PowerSchool), and forfeiture.
The 84 months term is within the federal sentencing guidelines for his offense level. Federal prisoners are required to serve at least 85% of their sentence, although the total time served can be decreased for good behavior and other factors. The sentencing guidelines range does not require judges to sentence within those limits. Judges have a certain amount of discretion and can sentence someone to less than the minimal sentence or more than the maximum sentence in the guidelines. But whatever District Judge Margaret R. Guzman decides in terms of sentencing for the first three counts, a 24-month sentence for the identity theft count is mandatory and it must be served after the other sentences, not concurrent with them.
The memorandum includes reference to Lane’s alleged past crimes to show that he has a history of offending and that the crimes against Victim-1 and Victim-2 were not isolated incidents:
Further, Lane’s crimes were not a mistake resulting from an isolated lapse in judgment. Rather, they were part of a pattern of criminal cyber activity dating to 2021 and targeting victims ranging from a school athletic association to private companies to foreign governments. PSR¶¶ 43-47.
Later in the memorandum, the government writes:
The need for both general and specific deterrence heavily weigh in favor of the government’s sentencing recommendation. As described in the PSR, Lane has been an active and persistent cyber attacker since at least 2021. In addition to Victims 1 and 2, Lane targeted a minimum of six other victims, including foreign government entities. PSR ¶¶ 43-46. As he described in his own words, Lane planned to target additional victims, including U.S.-government contractors. Id. ¶¶ 14, 19. Nor did Lane need much motivation to engage in criminal cyber activity. As he told a co-conspirator, he was willing to “dox,”—that is, publish the private identifying information of individuals online—for just $25. Id. ¶ 26. Lane’s proclivity for cyber crime will not go away simply because he has been caught this time; indeed, when he was interviewed in connection with the search of his dorm room, he lied to investigators and fabricated a story about receiving packages of cash. Id. ¶ 41. In a subsequent interview, Lane lied about ever engaging in extortion, and only admitted his conduct when faced with his indisputable text messages confirming he did just that. Accordingly, a meaningful term of imprisonment is necessary to convey the message to Lane that there are serious consequences for breaking the law, attacking and extorting victims, causing more than $14 million in losses, and putting tens of millions of innocent children and their teachers at risk of identity theft.
Although an interesting report by The74 digs into Lane’s past and includes comments by Cyble about Lane’s past history of alleged crimes, DataBreaches reminds the public that Lane was never charged, tried, nor convicted of any crimes other than Victim-1 and Victim-2 in this case. As such, those past alleged crimes cannot be considered in sentencing Lane. He has no convicted history as a “seasoned criminal.” All that is before the court is the Victim-1 and Victim-2 incidents that Lane pleaded guilty to.
Under the circumstances, one might reasonably wonder why Lane wasn’t charged with other incidents that the prosecutor and Cyble’s Kaustubh Medhe mention. DataBreaches has no idea why he wasn’t, but the court can only sentence Lane based on the case before them.
In response to the prosecution’s memorandum (below), Lane’s defense counsel has submitted a sealed record with exhibits to the court. The docket suggests that these sealed records will containt reference to medical issues. We do not know what sentence the defense counsel is arguing for.
Frustration, Sadness, and a Future Derailed
On October 14, Matthew Lane will learn his sentence in a Massachusetts courtroom. As bad as he may feel for himself, his sentence will probably be more devastating for his family.
There was a time in his life when Lane seemed interesting in helping companies with their cybersecurity and claimed he would have relished getting responses and talking to companies. Did anyone reinforce him for that? Did we miss a moment to change a life, or wouldn’t it have made a difference?
UPDATE: On October 14, Lane was sentenced to 4 years in prison, 3 years supervised release after that, $14 million in restitution, and forfeiture of the $160k law enforcement found. Lane reportedly expressed remorse and said he was disgusted with himself.
gov.uscourts.mad.284962.16.0
I’m of the opinion that the US government and law enforcement agencies would do well to stop trying this deterrence tactic of throwing the book at young “cyber attackers”. It’s clear to anyone paying attention that this theater will be one of the deciding battlefields in any future international conflict and rather than trying to reform and mold wayward natural talent we instead labor to make examples of all of them and rely on Navy, Air Force and “cyber” graduates who didn’t write a line of Python until their college professors explicitly taught them to.
I think at this point everyone is just betting on AI agents to make up the deficit and that seems like a fatal error, but one that we won’t recognize until we’ve already lost.
Perhaps Shiny and their seeming disdain for our government isn’t entirely off-base.
Great article as always DataBreaches.
I just caught up with this comment. I think we are definitely missing out on talent that could benefit our country. But the psychology matters. There are people who may be very talented, but sadly, I don’t think they could really be trusted not to get angry or spiteful or impulsive. So we’d have to consider what guardrails we could have in place. Suppose we’re talking about a 14 year-old or 15-year old who has been engaging in a lot of crime. What do we do with them? I have had conversations with some FBI agents about the need for appropriate programs and they nod their heads, but where is there any program? If such programs exist, I am unaware of them.
We’ve got to do better reaching kids earlier to prevent them from becoming experienced criminals by age 15, and to have something to re-direct those who did engage in crime.