Distinguishing attacker’s leaked IP address out of many VPN servers

Imagine the case wherein a hacker failed to correctly setup his/her cheap VPN which caused a connection drops and ultimately led to IP-address disclosure. He or she made many requests and a few out of that VPN-made requests is his or her own IP-address.

What can be done to distinguish his IP-address from the VPN servers?