BOSTON — A student at Assumption University in Worcester has been charged and has agreed to plead guilty to cyber extortion and related crimes after allegedly hacking into the networks of two U.S.-based companies and attempting to extort millions in ransom payments, according to the U.S. Attorney’s Office for the District of Massachusetts.
Matthew D. Lane, 19, of Sterling, will plead guilty to one count each of cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft. A plea hearing has not yet been scheduled.
“Cyber extortion is a serious attack on our economy and on all of us,” said U.S. Attorney Leah Foley in a statement. “As alleged, this defendant stole private information about millions of children and teachers, imposed substantial financial costs on his victims, and instilled fear in parents that their kids’ information had been leaked into the hands of criminals — all to put a notch in his hacking belt. The alleged ransoms that this defendant and others like him demand hurt victim companies and their innocent customers whose data the companies are entrusted to hold.”
Between April 2024 and May 2024, Lane and co-conspirators allegedly attempted to extort a $200,000 ransom payment from a telecommunications company by threatening to release stolen customer data. When the company questioned the demand, Lane reportedly replied, “We are the only ones with a copy of this data now. Stop this nonsense [or] your executives and employees will see the same fate . . . . Make the correct decision and pay the ransom. If you keep stalling, it will be leaked.”
Lane also allegedly used stolen credentials to access a second company’s computer network — a software and cloud storage firm serving school systems in the U.S., Canada, and elsewhere — and transferred personally identifiable information (PII) of students and teachers to a server he leased in Ukraine.
Federal prosecutors allege that Lane demanded $2.85 million in Bitcoin from the second victim company and others in exchange for not releasing the personal information of more than 70 million individuals, including names, Social Security numbers, medical records, and guardian contact details.
“Matthew Lane apparently thought he found a way to get rich quick, but this 19-year-old now stands accused of hiding behind his keyboard to gain unauthorized access to an education software provider to obtain sensitive data which was used in an attempt to extort millions of dollars,” said Kimberly Milka, Acting Special Agent in Charge of the FBI Boston Division. “This alleged scheme has resulted in serious consequences and highlights the FBI’s ongoing commitment to bringing cyber criminals to justice, no matter what their motivation is for willfully breaking the law.”
Each of the charges — cyber extortion conspiracy, cyber extortion, and unauthorized access to protected computers — carries a maximum sentence of five years in prison, up to three years of supervised release, and a fine of up to $250,000 or twice the gross gain or loss, whichever is greater, the U.S. Attorney’s Office for the District of Massachusetts reported. The aggravated identity theft charge carries a mandatory two-year prison sentence, to be served consecutively with any sentence for the computer fraud charges. Final sentences will be determined by a federal district court judge in accordance with the U.S. Sentencing Guidelines and applicable federal statutes.
The investigation was conducted by the FBI with assistance from the Assumption University Police Department. Assistant U.S. Attorney Kristen Kearney of the Securities, Financial & Cyber Fraud Unit is prosecuting the case.
The U.S. Attorney’s Office for the District of Massachusetts advised individuals with concerns about possible data exposure to contact their local school district.
