All three addresses were domestic — at least two of them in Miami, a quick search of online IP addresses shows. The location of the third U.S. address is unclear.

The delay in providing the addresses to prosecutors was an oversight, Vinock said. On Dec. 12, he emailed the addresses to VanderGiesen. But they appear to have been lost in the shuffle.

A month later, on Jan. 15, Jose Arrojo, head of the public corruption unit at the state attorney’s office, signed off on Hardiman’s four-paragraph memo closing the phantom-request inquiry . It contained no reference to domestic IP addresses.

The domestic IP addresses are now being examined, Ed Griffith, a state attorney’s office spokesman, said Friday.

Armed with the complete information, prosecutors can now follow up, using their subpoena power to obtain the users’ physical addresses from Internet service providers.

With the locations in hand, they might then be able to identify the hacker’s residence or business, or the public place, such as a library or Starbucks, that he or she used to take advantage of wireless Internet, said Steven Rambam, a New York-based private investigator with extensive experience in computer database and privacy issues. There, prosecutors could try to obtain surveillance video to identify the person online at the time the ballot requests came in.

“If it’s McDonald’s, McDonald’s routinely has video of their entire premises, inside and out,” said Rambam, who reviewed the IP address origins for The Miami Herald.

Even the foreign IP addresses were worth checking out, he added.

“I’ve picked up the phone as a private investigator doing these investigations and spoken to the security-and-abuse departments at the Internet service providers and gotten cooperation,” Rambam said .

The elections department also sent prosecutors a map of the voters targeted by the phantom requests. Though the department didn’t draw any conclusions from the map, it clearly illustrates that the voters were in three specific districts.

The Jan. 15 “close-out” memo makes no mention of the map, or of prosecutors following up with any political campaigns. “The map provided us with little useful information in tracking down the source of the computer attacks,” Griffith said.

Telltale pattern

The map showed that the first requests — the ones that originated from at least two Miami-area IP addresses on July 7 and 8 — targeted Miami-Dade voters in Congressional District 26, which stretches from Kendall to Key West. A little more than a week later, on July 16, the requests resumed — this time from foreign IP addresses — for voters in Florida House districts 103 and 112. They stopped on July 24.

District 103 extends from Doral to Miramar; District 112 from Little Havana to Key Biscayne.

The Herald analysis showed that, in the congressional district, 466 of 472 requests targeted Democrats. In House District 103, 864 of 871 requests targeted Republicans, as did 1,184 of 1,191 requests in House District 112.

Requests came in twice for nearly 500 voters, and three times for seven of them. The elections department doesn’t consider multiple requests suspicious, because voters are allowed to submit two ballot requests per election, in case the first ballot gets lost, for example.