Now that most hackers have figured out what was happening, Microsoft revealed that, for years many hackers have unthinkingly allowed their Windows operating system to send information back to Microsoft. This came in the form of data files on failed attempts to build new hacker code. It works like this (for all Windows users). When criminal programmers are building the programs they secretly insert into other peoples PCs, they have to test their work, and their programs often don't work initially. Such failures cause their PC to lock up (crash), and while that is happening, the Windows operating system captures what was going on at the time of the crash. When the user reboots, the operating system asks if it is OK to send this information to Microsoft, where it is analyzed (initially by software), looking for potential problems in Windows (which can be fixed). The screening software looks for all sorts of patterns, and eventually picked up the crashed hacker software in these memory dump files. It was quickly realized that this allowed Microsoft to monitor what was going on in the hacker underground.
Although many hackers were sharp, or attentive, enough to not send in the memory dumps to Microsoft, many still did. More experienced hackers kept telling everyone about this problem, but the dump files kept arriving at Microsoft, allowing the tracking to continue. These hacker files were so numerous that they provided a reliable picture of what software the criminal programmers were creating, and was a big help in making computer security software more effective. This is why the Microsoft security software that comes with Windows is so good at keeping hacker stuff out, or cleaning up after malware that does get in.
Microsoft has also gotten dump files from Cyber War hackers, and all sorts of people who should know better than to let the operating system send that stuff home. Microsoft won't talk about this angle.