What stops police/a prosecutor from getting a warrant for Squarespace/GoDaddy to give them info on the purchase of the giftclub.shop domain? Their payment method is identifiable, I doubt someone commiting this kind of attack is covering their traces very well.
Stolen credit cards are not very difficult to get hold for these kind of people I imagine so it won’t be so straightforward as just getting data from the provider.
However jurisdiction and lack of funding for cybercrime policing is the main reason criminals don’t get caught .
Many cybercriminals operate in countries that do not cooperate, extradite and may even have tacit state approval .
Only the largest police departments like NYPD and few federal agencies like FBI have some cybercrime investigations capability and very little of that is for investigating crimes against individuals rather than institutional victims.
It is not an unsound approach when resources are limited you would want to prioritize institutions as that would protect or serve more individuals indirectly .
However the result is that you are far more likely get policing support when someone robs your house physically rather than your identity or assets online .
Are we exactly sure a crime has been committed?
Most likely several? Opening someone else’s correspondence is a criminal offense alone, regardless of what’s done with it
For that you need to be positive the mails aren't going to /dev/null on the remote server and they just count the mails received.
For all we know it could have been a research to figure out on how easy is it to introduce a change like that and how much time such a redirection can be gone unnoticed.
It is just a piece of code in a random library available to download and used by persons actually willing and deciding to use it. The code was free to read before and after downloading it. No intrusion has been done on a remote machine, not even a phishing email have been sent.