That's how Topiary was arrested, shortly after LulzSec claimed to have disbanded and despite social-engineering attempts to throw suspicion on other hackers to confuse the identity of both Topiary and LulzSec leader Sabu.
Other LulzSec'ers were arrested for obvious mistakes. An AT&T contractor named Lance Moore allegedly used an AT&T VPN login to pull data from AT&T servers that he posted as part of LulzSec's triumphalist and ill-advised "50 Days of Lulz" diatribe in which the collective bragged about its success, its wily escape from law enforcement and intent to return to a quiet life in the country.
AT&T recognized its data, traced it to the correct server, checked out the logs and pinpointed Moore as one of very few who accessed that particular data around the time it must have been stolen.
That's roughly like taking a lunch break from your job at the jewelry store and re-entering through the front door to rob the place without having changed clothes or put on a mask first. You might pull it off, but police will be able to get a pretty good idea who the crook might have been.
The key to successfully hiding your identity during an attack seems to be making sure you pass through enough interim sites to conceal your point of origin permanently – either because they're in a country not vulnerable to pressure from the FBI, specifically offer to protect users' data by not saving the login or tracking data on their servers for more than a few days, or because they're zombies being remotely controlled by someone else, who makes sure the zombie doesn't keep enough information to point back to a command-and-control site.
Lacking a trustworthy proxy, the best thing to do is to go through so many interim sites and services that the process of tracking you through them all is too time consuming for most security teams.