Do you mean pentesting or actual hacking?
You can also do it from any OS,not just Linux,also you need to know a lot of stuff about cyber security,Operating Systems in general,networking,tcp/ip,packet tracing,various types of malware/ransomware.social engineering and at least learn the advanced basics of OOP and as a bonus functional languages to understand how to modify code and that does not mean become a SW developer,because nowadays SW devs and devopses mostly copy/paste stuff from stackoverflow and other resources.
Use recycled code practices for companies to crunch the deadlines and that is full of holes in any OOP from C to Java(shrug),C++ which if/when written in spaghetti code manner to crunch the sprints,because agile is popular in name only with a waterflow model slapped under the hood,all that results in a bunch of memory leaks and exploits.
The other aspect is covering your tracks,lets pretend you hacked something and not in a bug bounty fashion,but lets say you used John The Ripper or some similar tool to bruteforce let's say a corporate top tier employees email account to gain access to a corporate network and infected it with ransomware.
If you do it from under Windows with Outlook Account(LOL),Cortana and diagnostics data will send that info to Microsoft Servers right away which will be forced to turn it over to your local law enforcement agency,you've done something naughty from Google Chrome or Chromium/Firefox using their search engines?
That data is already sent to third parties and even your Candy Crash app will know that you ve been naughty,not to mention your ISP who are required by the law to store and provide logs of all your network activity for at least 6 months if not more,depending where you live.Same applies to MacOS,I mean the whole Apple SW dept will be watching how you do it with great interest and then they will report you eventually.
Yes, you can use Kali Linux,its Debian based,it has the tools for pentesting,but it does not anonymize you,so your connectiivity is still open for monitoring,ok you go further you start using Tails OS with Kali Linux toolset on a VM(lol),it might work if you are not running it from the ISP that can be traced to you,a laptop that can not be traced to you, a location that can not be traced to you. Actual black hat top tier corporate hacking is too much work in general,the stuff you see in the movies/tv shows is not real,all the hacking now goes down to pentesting and crypto mining,which is boring actually,but safe.
And please do not confuse hacking with pentesting,employed pentesters and in general cyber security workers and researchers are poor people,compared to actual black hats who run illegal stuff and botnets,but they have the means/backed up be proper funding not to get caught,when they get actually caught,nobody envies them.