Why are hackers so young?
In late June, five French nationals aged 16 to 22 were arrested after the theft of millions of patient records. With every case, the same question: why are hackers almost always so young? The answer says a lot about our brains, our data, and what we do with our talent.

Four million records, five kids
On June 23, 2026, France's anti-cybercrime unit arrested five people suspected of belonging to a collective called "Marak." Target: healthcare. Hospitals, clinics, medical companies. The toll: nearly four million patient records stolen. Identities, administrative data, medical follow-up. The five suspects are between 16 and 22 years old.
The investigation had started a year earlier, after the hack of a clinic in the Loire. Nothing exceptional, in fact: two weeks earlier, the same unit had dismantled "Dumpsec," seven arrests and more than 1,500 victims. Kids again.
The hacker doesn't have the face you imagine
Forget the hooded genius lurking in the shadows. The reality is more ordinary, and more unsettling: a teenager in his bedroom. Four mechanisms explain it, and they reinforce one another.
A brain wired for risk. Between 15 and 25, the brain is not finished. The area that weighs consequences and curbs impulses, the prefrontal cortex, matures last. The reward circuit, on the other hand, is already running at full tilt. You underestimate danger, you think you are untouchable, consequences stay an abstraction. Add plenty of free time, with no job and no family to support, and you get the perfect ground to explore relentlessly.
A barrier that has fallen. Hacking no longer requires being a prodigy. Freely available tutorials, mutual-help communities on Discord and Telegram, ready-made tools, cybercrime services rented like a Netflix subscription. The myth of the lone genius is dead. Today you need curiosity, method, and time. Nothing else.
Glory before money. People picture the lure of profit. Among the youngest, the fuel is elsewhere: the challenge, boredom, peer recognition. In these circles, reputation is the only currency that counts. You climb an invisible hierarchy, you aim for the big splash. And that is precisely what undoes them. They boast, they claim credit, they sign their exploits. Discipline comes with age, and most get caught before acquiring it.
Invisible victims. Behind a screen, four million records do not weigh four million lives. They are lines in a file. That distance numbs. It starts with a grey-area curiosity, "am I capable of it?", then you slide, one notch at a time, the justification already prepared: "I'm just showing they were badly protected." You do not feel like a criminal. You feel clever.
The news-story trap
Beware the blind spot the headlines forget. If hackers seem so young, it is first because the young are the ones who get caught.
The truly dangerous actors never make the front page. Professional ransomware, state-backed groups: organised, disciplined, patient, and they do not get caught. Marak and Dumpsec are the tip of the iceberg. The loudest, the clumsiest. Not the most threatening. "Hackers are young" describes what arrests reveal, not the reality of the threat. The nuance is crucial when we are talking about the data in our hospitals.
So what do we do?
Pointing fingers is not enough. The good news is that we know exactly what to do. Two projects to run at once. One obvious, one neglected.
Lock the doors. Let us start with the obvious. If health data leaks almost every week, it is not because a nurse clicked the wrong link. It is because the applications that host it are sieves. The king of flaws is called IDOR: it is often enough to change a digit in a web address to land on the neighbouring patient's file, for lack of any real access control. A flaw known for twenty years. Still everywhere. The real culprit is not the human, it is the debt. Technical debt of systems cobbled together and never fixed. Governance debt of organisations that never put security at the top of the pile. The answer is as boring as it is urgent: pay down that debt, now. Serious access control, regular offensive testing, audits with teeth. It is obvious. Let us do it, and move on to the real subject.
Channel the talent. This is the project no one talks about, and it is the most important. Think for a second. The kid who worked out how to siphon off four million files performs exactly the same act as a security consultant paid six figures for it. Same skill, same curiosity, same persistence. The whole difference comes down to one word: authorisation. A contract, and he becomes a professional everyone is fighting over. Without a contract, he becomes a criminal record.
Yet Europe is desperately looking for tens of thousands of cybersecurity specialists. We are digging gaping holes in our workforce, and meanwhile we are handcuffing precisely the profile we struggle to recruit. It is absurd. Every arrested teenager is a defender we let slip away.
Why do they tip over to the wrong side? Not out of malice. Out of ease. The illegal path offers everything, right away: the adrenaline, a community that applauds, a scoreboard, zero barrier. The legal path, on the other hand, demands a five-year degree, patience, doors to push open, and months of boredom before the first slightly exciting assignment. At equal talent, we lose the recruitment race on the experience we offer. We offer an obstacle course where the other camp offers a video game.
Let us flip the logic, because France already has the tools, and they work. Bug bounty platforms like YesWeHack, a French flagship, pay researchers to legally find companies' flaws: money, reputation, and no criminal record. Every year ANSSI, our national agency, runs the France Cybersecurity Challenge, a hacking contest open from age 14 that drew more than 2,000 players in 2026 and selects the French team for the European championship. Training platforms like Root-Me or Hackropole let you practise as much as you want without breaking anything real. The thrill, the community, the ranking, the glory: everything the teenager is looking for already exists, on the right side of the law.
So the problem is not the absence of alternatives. It is the timing. We arrive too late. We reach out to these young people at twenty, before a judge, when we should have caught them at fourteen, in a school club, before the wrong Discord server did the job. Other countries have understood this and redirect their first-time offenders toward legal careers rather than toward prison. The maths is simple: converting a talent costs infinitely less than repairing a leak and running a trial. And it turns a threat into a bulwark.
Because a sixteen-year-old who finds a flaw is not Al Capone. He is raw talent waiting to be shown the right door. Our only job is to get there before the other camp does.
Questions fréquentes
Why are arrested hackers almost always young?
Because the 15-25 brain is still wired for risk (an immature prefrontal cortex, a reward circuit running at full tilt), because hacking no longer requires being a prodigy (tutorials, communities, ready-made tools), because the fuel is glory and peer recognition more than money, and because the screen makes victims abstract. Above all: the young are the ones who get caught; the truly dangerous actors do not.
How does health data leak?
Often through an application flaw known for twenty years, IDOR: changing a digit in a web address is enough to display the neighbouring patient's file, for lack of access control. The real culprit is not human error but technical and governance debt.
What should we do with young hacking talent?
Catch them early (from age 14) and steer them toward the legal paths that already exist in France: bug bounty (YesWeHack), ANSSI's France Cybersecurity Challenge, training platforms (Root-Me, Hackropole). Converting a talent costs far less than repairing a leak and running a trial.

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
