If neither the perpetrator nor the servers are in the U.S., theres not likely to be any jurisdiction, but it's not actually necessary for the targeted servers to be in the U.S.; it's sufficient for jurisdiction for the (alleged) perpetrator to be operating from the U.S.