Why do most hackers never get caught—can’t providers trace where stolen funds go in bank or PayPal fraud cases?

Kim Guldberg is spot on, when it comes to the size of the amounts being stolen. I've worked with banks who were hit with phishing attacks which resulted in lots of bank accounts being compromised and a few dozen or so unauthorized transfers were made.

At the end of the day, the following happened:

• Two factor authentication was introduced for login as well as transactions
• The cost associated the time and resources the bank would spend in investigating the hackers, and bringing them to justice was far more than the amount being stolen.
• It made more sense to review how such attacks could be mitigated, but trying to chase the perpetrators and run them through the justice system was ridiculously high.
• One huge issue that was discovered was the cross-border mechanism. In the cases I worked with, countries like Philippines, China, and Indonesia were involved. With the limited knowledge we had, it was almost an impossible task to have the police on the other end cooperate to catch thieves who stole like US$ 75,000 or so (in another country).
• The money trail kept splitting up. Lots of cash-outs were done at WU in remote places in Philippines and in various towns in China. It was just getting ridiculous to try to go after US$ 1,000 payout.

The insurance company in the end coughed up some of the money, mostly it was written off by the bank. Surprisingly, the bank allocates an undisclosed amount for such events.

When money is stolen from these banks, they were channeled locally to other local banks, and then cashed out using fake credentials or fake bank accounts. Identity theft is very easy in under-developed countries. So even if we do chase after these identities, you find out, you're chasing ghosts.