I think you need to read up on cyber crime and cyber criminal groups. Your thesis is correct but only accounts for those who are not independent from the internet. A professional attacker wouldn't ever use the machine and network they were accessing the Internet from for anything else other then their attacks. No compromising search terms, emails, chats, page visits, internet billing, etc. I'm talking a machine totally devoid of personal information or anything that could potentially reveal the identity/location/details of the attacker. Now imagine this was scalable and you constantly were changing your point of access and machine. Actual cyber criminals (the ones cleaning out credit card companies, banks, high level blackmail, stolen secrets, etc, the shit you really only ever hear rumors about because it's too dangerous to leave executive circles at companies.) especially in Eastern Europe have access to an almost unlimited supply of cheap machines, false identities, "tunneled" networks and connections inside major established institutions and companies, and strict criminal group rules, make it almost impossible to identify anyone. Don't be naive this shit goes on everyday.

I would imagine the professionals are using other peoples cracked wifi networks, then routing through tor or a similar onion routing system, eventually hitting a VPN endpoint on some anonymous-hosting account in russia, etc etc.

The truly paranoid might like to rent a botnet and build their own tor network on top of it or something like that.

In short: the fundamental nature of TCP/IP is such that if you are sufficiently motivated, and dont mind horrible latency, even the FBI/tptacek cant identify you.

I'm thrilled to report that it isn't my business at all to track down people on the Internet, and so I am not a good standard for what is and isn't feasible vis a vis IP traceability.

We break apps and build products and that is just about it. (We've also never done business, to my knowledge, with the government.)