Can you trace an IP Address to a hacker?

This is a very open-ended question with a lot of variables that come into play. Depending upon how skilled the hacker is, determines how and if the hacker can mask or hide their true identity. It’s also very critical to know exactly when the hacker was using that IP address because IP addresses often change and are not static. There really is no simple answer.

How do hackers hide their identity?

To start with there are many ways a hacker can remain anonymous online. Let’s start by setting a mentality.

Let’s start by thinking outside of the box (no pun intended).

Scenario 1: Another Person’s Laptop

Suppose a hacker uses another person’s computer. Even if they didn’t mask their IP address or try to hide it, how would you ever identify the hacker if they used another person’s computer?

Scenario 2: Anonymous Cell Phone

What if someone compromised another person’s Facebook credentials and used an anonymous cell phone and logged on using McDonald’s WiFi at 3 AM in the morning? Cell phones can be purchased through craigslist, stolen or borrowed. Are the police really going to pull McDonald’s security footage for something like that? … and if they did, what would it prove?

Let’s get technical…

Scenario 3: No-Logs VPN

Some hackers use Virtual Private Networks (VPNs) to hide their location. Some of these services allow you to specify a location throughout the world and the hacker can proxy into the VPN and use that IP address. The DNS reflects an incorrect location for the hacker. If there are no logs it’s very difficult to trace the VPN’s IP address to the hacker.

I recommend NordVPN however you can’t specify very granular locations with their service.

(NordVPN – No Logs)

Scenario 4: Proxychains

A more technical way of staying anonymous is using proxychains with a VPN.

Scenario 5: Hacking the neighbor’s WiFi

Using tools like aircrack-ng it’s possible to hack your neighbor’s WiFi router. Once access has been compromised a hacker could change the mac address on their machine. Using the neighbor’s WiFi in combination with VPN/proxychains would make it even more difficult to trace.

Scenario 6: Malicious Back Door Agent / Scripts

A hacker could also use a malicious back door agent that if it were installed on the victim’s computer it would allow them control of their machine.

There are so many scenarios where a hacker can easily hide their identity.

Tracing an IP address really doesn’t prove anything.

Scenario 7: Team Viewer

Hector Monsegur got around Tunisia’s firewall by having a Tunisian resident connect to his computer using Team Viewer. They defaced the prime minister’s website through a computer in Tunisia. The IP address of the attack would have pointed to the resident’s computer and not the hacker.

How do they get busted?

Usually, hackers get careless and start making mistakes. The frequency in which they hack leads to accumulative evidence. Being in Anonymous and bragging online is what attracted the Feds to Hector. There are also scenarios where a person cooperates with the Feds to snitch on others. Hector Monsegur (Sabu) head of LulzSec/Anonymous snitched on several people resulting in lengthy prison sentences.

FBI: We know who you are… we know what you are doing…

Trace Route

This tool hops through DNS records to identify all of the computers and servers that are in between two computers. Using Trace Route against my web server, I can identify the service provider which is a DigitalOcean server. If a hacker had placed a malicious bot on this server, we would still have to figure out who and when this happened.

Conclusion

If you watch some of the interviews with Hector Monsegur (head of LulzSec hacking group), you can clearly see that he was busted by getting sloppy and revealing too much information over time. Those hackers shut down an entire country’s government. Let that sink in…

IRC logs