I had a hard time choosing which comment to select to reply, so I chose yours since it's higher up. Apologies if it's irrelevant.
I don't know why most people assume that hackers even bother with stolen credit cards in the first place. I mean, they sure do, but those are your average Joes in the business of refund reshipping and other types of scams.
Those who want the maximum anonymity don't even bother with buying anything. It's as simple as going to one of the popular websites who leak databases, setting up OpenBullet software or spending anywhere from 1 to 5 hours writing custom mail:pass validators to spam requests to either API or login form through (once again) leaked proxies, etc. using leaked credentials. Or simply going into one of those threads titled 'x100 Mullvad accounts" which have already validated accounts with anywhere from 1m pre-paid to multiple years. And there's even a bonus of not being shown as a user of this account if you do not use official App and simply load configuration manually through ovpn, etc.
And then there's proxy-chaining if you're doing something truly nefarious. It's super easy to chain multiple VPNs with few socks proxies.
People behind XZ backdoor to me look much more smarter than myself, so I would bet they took care of this angle and will be untraceable.
