I would guess the number one way he was found was internal security systems in each of the hacked systems.
Cybersecurity involves lots of automated systems that “alert” system admins when it comes to strange patterns.
Like… This user is logging in from an unrecognized IP from an unrecognized geo-location during a time the user usually would be asleep. The user in question has never logged into the system from that area or IP, nor do they do it when they’re off the clock in the middle of the night. These unusual details would trigger an alert sent to a sysadmins cell phone, and from them they would begin digital forensics to try to pick up the trail of who this was.
I would guess the number one way he was found was internal security systems in each of the hacked systems.
Cybersecurity involves lots of automated systems that “alert” system admins when it comes to strange patterns.
Like… This user is logging in from an unrecognized IP from an unrecognized geo-location during a time the user usually would be asleep. The user in question has never logged into the system from that area or IP, nor do they do it when they’re off the clock in the middle of the night. These unusual details would trigger an alert sent to a sysadmins cell phone, and from them they would begin digital forensics to try to pick up the trail of who this was.