You sue them the same as anyone else, but your real question is determining who it is. That is not a legal question.
The above is general legal and business analysis. It is not "legal advice" but analysis, and different lawyers may analyse this matter differently, especially if there are additional facts not reflected in the question. I am not your attorney until retained by a written retainer agreement signed by both of us. I am only licensed in California. See also avvo.com terms and conditions item 9, incorporated as if it was reprinted here.
Yes you may but there's a lot of work determining who it is. It is rarely the person you think it is. Good luck.
The response above is not intended as legal advice since it’s impracticable to provide thorough, accurate advice based upon the query without additional details. It is highly recommended that one should seek advice from a criminal defense attorney licensed in your jurisdiction by setting up a confidential meeting. Moreover, this response does not constitute the creation of an attorney-client relationship since this message is not a confidential communication because it was posted on a public website, thereby publicly disclosing the information, which is another reason to setup a confidential meeting with an attorney.
I agree that finding the hacker is the hard part and requires sophisticated technical expertise. If you lack the resources, perhaps a criminal complaint is the way to go. You would start with the police and local D.A. but if it is an international hacker, it might require federal agencies getting involved. Depending on the seriousness of the crime, it may be difficult getting help from law enforcement. However, it is an option that you should consider to help deter future hacking by this individual or group.