LulzSec did it, allegedly, to protest a decision by NATO and the White House to treat hacking as an offense as serious as an act of war.
21-year-old Florida computer engineering major Scott Arciszewski allegedly did it out of sympathy and for kicks – uploading files to the site, tweeting a boast about it, then retweeting the boast to the attention of the FBI agents investigating the attack – all from the same IP address.
Feds tracked him to a Twitter account, from there to a personal web site and from there to his dorm room.
Failing to hide an IP address was also to blame for the arrest of an underage and unnamed British hacker who launched a DDOS attack on a Call of Duty site after cheatbotting his way to a high score and deciding the best way to keep other players from killing his character was to keep the site too busy to let them log on.
It worked, but also left a trail back to an IP address that – unlike in the case of more savvy hackers – was the perp's actual address rather than one of a chain of free or commercial proxies and malware-infected zombie computers used as identity-concealing proxies and launch points for attacks.
Even the "Low Orbit Ion Cannon" DDOS tool used by Anonymous to attack sites that refused to let consumers sent money to fund WikiLeaks late last year, didn't do much to hide IP addresses. PayPal was able to capture several accurate IP addresses in its server logs, which feds used to track down the attackers.
Most hackers take at least some precautions most of the time. Anonymous as it seems, however, everything that happens online is recorded in server or network logs somewhere.
Those who know how to dig up the tracks – like the coterie of more established hackers who vowed to dox and take down LulzSec for being posers and loudmouths – the tracks remain for long after attacks are over and even after the attackers themselves claim to have ceased hostilities.