The ringleaders also risk their IP when they access any website, such as some crime forum to sell their malware. Crime forums regularly get hacked, and sometimes the databases have last logged in IP in them.
Also, I'm not sure about crime forums, but other forums sometimes allow image embedding, either by a profile picture hotlink, or bbcode, or html, which can get the IP of everyone who views the page.
Also, just by sending someone a link you can get that person's IP. Maybe DNS prefetching can get some info about the person even if the person doesn't click the link.
Also whatever hosting provider they use to distribute the malware to the affiliates could end up leaking their IP.
Also, I'm not sure about crime forums, but other forums sometimes allow image embedding, either by a profile picture hotlink, or bbcode, or html, which can get the IP of everyone who views the page.
Also, just by sending someone a link you can get that person's IP. Maybe DNS prefetching can get some info about the person even if the person doesn't click the link.
Also whatever hosting provider they use to distribute the malware to the affiliates could end up leaking their IP.