/whois doesn't work if you are cloaking your hostname or just connect via tor/vpn or just some random place. Probably easier to just target the central node.
Yeah, but how many scriptkiddies use a VPN or apply for cloaks? Next to zero for most of them.
Also, I bet my behind that the NSA has epxloits for the most popular IRCd's, so that only tor/vpn are a real problem for them (and besides, even these connections can be shot with TCP FIN injections).
Actually the vast majority of script kiddies and "cyber criminals" use VPNs. The problem is that they have a habit of accidentally connecting to servers without always turning on their VPNs. They lack professional discipline, not toolsets.
On plenty of networks (it's been years since I was on IRC, so unsure which IRCd's support it, but iirc both Quakenet and Freenode do in slightly different ways) even support host-masking as long as you are auth'd on the network - of course, IRCops could still find out, so a subpoena (or hacking into the servers) could see it, but prevents /whois from telling you at least.
(I think some networks even partially hide your IP by default anyway)
I tend to doubt that there's many exploits out there for the popular ircds, because IRC is such a hostile environment - ircd is probably one of the most battle-hardened codebases out there.
Also, I bet my behind that the NSA has epxloits for the most popular IRCd's, so that only tor/vpn are a real problem for them (and besides, even these connections can be shot with TCP FIN injections).