Why can't they just track it down via the people that actually flew on the tickets? WN has the pax name, which theoretically matches the pax's ID at the airport. Each of the pax would have some link to the person(s) that breached the account. The pax may or may not knowingly realize that they were flying on stolen points, but could potentially provide clues on the person(s) that booked the actual ticket.
If the pax was not flying under their actual name, that's a separate (and bigger) issue.