Federal investigators say they’re closing in on the hackers who breached JPMorgan Chase (JPM) last summer. Authorities say they expect a criminal case will be filed against the banks’ assailers—whose attack was “not nearly as sophisticated as initially believed”—as early as “in the coming months,” the New York Times reports.
That confidence on the part of law enforcement officials provides some clues as to where the hackers might be hiding out. In order for the culprits—cyber thieves who gained access to contact information such as names, phone numbers, and street and email addresses for 76 million households and 7 million small businesses—to be “gettable,” as officials seem to believe the hackers may be, they must reside someplace where the United States can nab them. That narrows down the scope of geographic possibility.
The hackers may, of course, live in the U.S., which would be the scenario with the least hassle for the U.S. That’s where the feds caught infamous hacker Albert Gonzalez in 2008. He had stolen information for more 90 million payment cards from companies like T.J. Maxx (TJX) and Heartland Payment Systems (HPY).
But “gettable” also implies that they might reside in a country with which the U.S. has an extradition treaty, an agreement whereby the U.S. may tender a request for the capture and receipt of a criminal (suspected or convicted) on the lam in another nation. These are our jail time allies, if you will. That’s how the feds snatched Gonzalez’s partner in crime Vladimir Drinkman in the Netherlands in 2012, and also how they got a hold of the cyber criminal Vladislav A. Horohorin, a.k.a. “BadB,” in France in 2013.
In this case, if the hackers are, again, “gettable,” countries such as China and Russia—where no such treaties exist—are unlikely sanctums for the bandits. Try as it might, the U.S. has had no luck apprehending Edward Snowden, the notorious leaker of U.S. National Security Agency secrets, for example, who still is, as far as anyone knows, holed up in Moscow. And the U.S. has also been unable to seize five Chinese nationals it indicted last year for cyber espionage against companies like Alcoa (AA) and U.S. Steel Corp. (X). (Here’s Fortune‘s cover story on Kevin Mandia, whose security firm Mandiant, since acquired by FireEye (FEYE), outed those hackers in a report.) Geography can have a crippling effect on law enforcement’s efficacy.
So where in the world could the hackers of J.P. Morgan be?
Fortune will spare listing all the possibilities here—there are more than 100 countries. Instead, here’s a link to a document provided on the State Department website that offers a rundown of the potential places: U.S. Code title 18 (“crimes and criminal procedure”), part II (“criminal procedure”), chapter 209 (“extradition”), section 3181. Scroll through the list of countries with which the U.S. has extradition treaties and you’ll find that the hackers, if truly “gettable,” could be anywhere from Albania to Zimbabwe.
In an earnings call last year J.P. Morgan CEO Jamie Dimon said “there are going to be some wins and losses” in the battle against cyber crime. If the investigators can nail the bank’s hackers—something that hasn’t been accomplished for breaches at Target (TGT), Home Depot (HD), and others, where the personal information for tens of million of customers were compromised—that would certainly tally a “win.”
The recent malware ATM heist targeting J.P. Morgan and other banks, on the other hand? Still a “loss.”