If the only think I knew was UTC+2 (and I don't even think I know that, I'm really cautious with assumptions about what mistakes that kind of people plausibly make), Israel would be very high on the list. But FWIW, 25Dec is a Catholic holiday, and even though it's mentioned on Wikipedia page about Israel holidays, I'm not sure how official that is. I mean, it doesn't seems to be, like, a real Israeli holiday.

I think no commits on December 25 is not enough to go by. He's been active for about 2 years, so that's what, 1-2 Christmases? I assume he doesn't commit literally every day. So it could be a coincidence that he didn't on those particular 1-2 days. Also, in many Orthodox Christian majority countries including those in UTC+2 they don't celebrate on 12/25.

But doesn't Israel also not follow a typical work week? Eg. No commits on Friday afternoon?

Yes, that's what I mean as well: I don't really think this analysis is any near to be considered any conclusive. It's interesting. But this is it. From what I'm seeing, there really isn't very much data. The article makes it feel like there is this huge archive of commits, that draws a picture of a guy working almost every day on these projects with some very much visible gaps in time, but there really isn't. The data is quite scarce. I would need to actually do the analysis myself to decide what I'm willing to believe, and I don't think I want to do this right now. But for now, I don't think we really have anything.

…What I would really want is some input from Microsoft. I don't know what they can reveal, but I believe they must have quite a bit more data, than us. Even speaking about times, well, he must have been using Github more than to just commit stuff. And I'd imagine they have some logs. Also, it's very fair to assume than he was using VPN all the time, but it's also fair to assume that he wouldn't accidentally slip like that, revealing his real time zone in 9 commits. So, yeah, for sure there are people who have waay more data than me, and probably know how to use it properly better than me too. Not sure they will be willing to share, though.

Somebody on another HN thread pointed out he used Gmail, so google has something too.

I think I saw somewhere a claim that somebody confirmed he used a VPN, I'm can't recall how they did that.

Anyone try emailing with a tracking image?

No need to bother with a tracking image. Just scour the message headers of any message sent in the past--there's decent chance there's a few more dates lurking in those headers, and even an IP address or two.

Headers have the IP address of their mail service.

Years ago they would include the IP of the end user. Gmail and hotmail stopped including that more than a decade ago. But they both used to. I think Gmail stopped this practice years ahead of Hotmail.

I have a relative with mental health problems who lives on the street, and he sometimes writes me from public libraries -- kind of luckily for family members who are concerned about him, the webmail service he uses still includes that info in headers. So I usually know which public library he writes from.

When I was a PhD student ips in header were a great way to see if professors I was working with were traveling or not...

I'm sure this guy is not checking his email after being exposed.

They refused to divulge how they knew

It's not just that there's only two Christmases. It's that Christmas fell on Sunday in 2022 and Monday in 2023, and the article already established the attacker mainly worked Tuesday-Friday. The note about the attacker never working on New Year has the same problem (New Year's Eve/Day always lines up with Christmas Eve/Day, so would not have hit the Thu-Fri window either).

December 25 and and Jan 1 are regular work days in Israel, with the legal option that someone can't be refused to take those days off, but have it deducted from their accrued vacation time (there are other days that one can't be refused to take off, but if no available vacation days, have to be offered leave without pay for those days).

i.e. most Israelis work those days.

even a North Korean hacker would be plausible.

NK are one if the most prolific state actor countries. They aren't UTC+2 though.

Greece and Finland aren’t prolific. I’m sure they have the resources, many lone people would have. I don’t think they have the motives though. The US, Russia, China, NK and Israel have the motive, opportunity and track record. I wouldn’t rule out Ukraine either (and Ukraine is GMT+2)

I still think that an individual is the most likely candidate though.