Or better yet, just a URL that collects a ton of telemetry. In most cases, their curiousity will win out and you can get browser/platform/ip address details that might help suss out the attacker.
I'll do this with a simple PHP page that records everything useful from $_ENV and $_REQUEST.
This is probably really obvious but just in case: be careful you don't break any laws in the process. Would be a shame to land in as much hot water as the perpetrator. Good luck!