

You are correct, but I just want to mention that the guys operating botnets are not usually the smart ones — they’re just the skids who are have the patience to actually do social engineering and phishing, or coming up with clever stuff to hide malware in.
A lot of the time, the operators of these large networks are caught simply because they didn’t think they needed to hide the IP, MAC or Hostname of the orchestrating machine. Sometimes it is as easy as supoening the purchase records for an off-the-shelf VPS. One time, an operator was caught because a text file captured that it was encoded using a very specific country keyboard type.
Oh, nice. That covers anyone who leaves a flag out at night without a lamp shining on it. Or anyone flying a flag that has any tattered pieces.