Most (but not all ) VPN providers keep logs and payment info that are subpoenable. You could use something like Mulvad with Lightning Network payments, but I am not sure that even that is fully anonymous.
The Witopia VPN that he used for IRC [1] is US based: https://www.personalvpn.com/contact-us/ and they don't mention neither LN payments nor not keeping logs.
I had a hard time choosing which comment to select to reply, so I chose yours since it's higher up. Apologies if it's irrelevant.
I don't know why most people assume that hackers even bother with stolen credit cards in the first place. I mean, they sure do, but those are your average Joes in the business of refund reshipping and other types of scams.
Those who want the maximum anonymity don't even bother with buying anything. It's as simple as going to one of the popular websites who leak databases, setting up OpenBullet software or spending anywhere from 1 to 5 hours writing custom mail:pass validators to spam requests to either API or login form through (once again) leaked proxies, etc. using leaked credentials. Or simply going into one of those threads titled 'x100 Mullvad accounts" which have already validated accounts with anywhere from 1m pre-paid to multiple years. And there's even a bonus of not being shown as a user of this account if you do not use official App and simply load configuration manually through ovpn, etc.
And then there's proxy-chaining if you're doing something truly nefarious. It's super easy to chain multiple VPNs with few socks proxies.
People behind XZ backdoor to me look much more smarter than myself, so I would bet they took care of this angle and will be untraceable.
There's... actually very little that stops you from sending mail from a non-local postal code.
I've occasionally sent packages postmarked as being from one zipcode from another; as long as it's in the same region, much of the postal processing doesn't care so much.
How do you do that? Walk up to the postal counter, ask them to postmark it, then ask for it back, drive to another post office and slip it in their outgoing pile?
Semi-Presorted post can be acquired pretty easily. Places like Shippo and PirateShip offer it. As long as you put enough money into the postage paid, the post office doesn't really give a shit if it comes out of somewhere weird. There is no requirement that "return address" and "sent from" area are the same so long as they're within the same postal zone.
This is why AMZN packages have a return address in Vegas or similar sometimes.
Departure postal code could be an area with like 1 million people. And if it is a nation state I am sure they could send the mail from another country.
I mean, even if I live in Manhattan, I can easily take a subway train to an area with a different zip code and mail it there. And that's almost the easiest thing you could do -- if you want to hide where the mail is from, it is trivial.
Dense urban areas are often blanketed by a range of spectrum sensors for the purpose of retroactive correlation (e.g Palantir) with other metadata sources.
Jia Tan probably used a vpn though - we know that they did for accessing IRC (source: https://boehs.org/node/everything-i-know-about-the-xz-backdo...)