You are leaving out the fact that very sophisticated hacks can spoof the IP address to match any originator
and MAC address they want. And there will be no issue (no collisions) with this if you control one or more of the servers in the domain name system. In that case, the header will match perfectly, and what is more, incriminate the wrong person if that is what the hacker wants to do.
Not easy to do for non-State actors (but possible.)
And if NSA (for example) wants to make this look like a chain of possession that belongs to the Russians, they can.