[mikeliu]

Except to pay for one of these, you still pay via credit card, paypal, etc. that links to real identifiable info. I was wondering why, if one of the attackers instances were discovered by google, they didn't just hand it over to the authorities and have them get a subpoena for the account info? or maybe they did

[rms]

If you can stage an attack like this, you can steal credit card numbers or phish your way to a Paypal account

[tptacek]

Not that it matters (I'm sure if they're actually paying for VM's they're using stolen cards), but you can trade cash for anonymous credit card numbers in a number of places. Simplest example: Google "Vanilla VISA".