Gamergate, a veritable tornado of misplaced outrage and misogyny, has spent nearly two months spiraling across the cultural landscape, ruining lives as it goes.

Zoe Quinn, an independent game designer, saw her address and personal details sprawled across the Web. Anonymous trolls threatened to kill game developer Brianna Wu and rape her corpse. Then, just this week, an anonymous e-mail sent to Utah State University threatened “the deadliest school shooting in American history” if the feminist game critic Anita Sarkeesian was allowed to give a scheduled speech there.

“You have 24 hours to cancel Sarkeesian’s talk,” the e-mail read. “Feminists have ruined my life and I will have my revenge, for my sake and the sake of all the others they’ve wronged.”

The perpetrators are just out of reach, on the other side of a Twitter handle. The IP address from which they hurl their abuse is logged and recorded in some database. And yet, weeks after the initial threats and harassment started, and days after urgent, domestic terrorist threats were reported to police, no one has been arrested or charged with anything. The whole thing has dragged on so long that even Paul Elam — noted men’s rights activist and victim-blamer — is offering a cash reward for information leading to Sarkeesian’s threatened attacker.

What, exactly, is taking so long?

It’s hard to get into specifics, since the FBI doesn’t discuss, or even confirm, ongoing investigations. (It only emerged that the agency was investigating threats made as part of Gamergate when a San Francisco police officer told Polygon it had passed them the case.) That said, there’s a fairly standard process to investigating social media threats, said Danielle Citron, a law professor at the University of Maryland and an expert on abuse and harassment online. In essence, police just need to figure out who, exactly, is hiding behind the pseudonymous Twitter handle — a question that can actually be far trickier than it looks.

For starters, Citron said, police will need to approach Twitter (or Gmail or Yahoo or whatever other service is in play) with a subpoena or a search warrant to get user data. Twitter, and most other tech companies, are very strict about this: “Information about Twitter users will not be released to law enforcement,” the site specifies, “except in response to appropriate legal processes.” Of the roughly 1,250 user-data requests the U.S. government made between January and June of this year, Twitter managed to repel 28 percent.

But even once investigators have a warrant, and have obtained data from Twitter, there’s not necessarily a direct line leading from, say, @GamerGatelvr91 to some guy in New Jersey. Twitter doesn’t require its users register with their real names. The personally identifiable data it does collect — e-mail address, cellphone number, location — can be faked, skipped or disabled by the user. If the user deactivates his account, Twitter deletes all trace of it within 30 days. And the holy grail of identifying data, your IP address, can link back to many computers if they share a network, or be spoofed by anonymizing software like Tor.

Outside observers often assume that finding an anonymous user’s true identity is as simple as tracing his IP, the unique code assigned to each computer on a network. But particularly at universities and businesses, tons of computers can share the same address. If I were to send a threat from this computer, for instance, Twitter would log, the IP address for The Washington Post — a network with hundreds of computers on it. And if I were to send a threat from this computer using the Tor browser, Twitter would log the IP address as … which is in Germany.

“That can make their identification challenging, to say the least,” Citron said. “It is not impossible, but [that] is where having computer forensic specialists on staff is crucial.”

There are further complications too, Citron points out. Some victims, Sarkeesian included, hesitate to turn to authorities at first, afraid that they won’t do anything or that the mob is simply too big to go after. Even when suspects are identified, the real battle has hardly begun: The legal standard for prosecuting threats is very high in the U.S., and many states have yet to pass solid legislation on the issue.

Still, in some respects, Sarkeesian is fortunate — and I use fortunate loosely here, since the woman was threatened and driven out of her home — simply because law enforcement took her seriously. That remains the single most insurmountable hurdle in cyberharassment and stalking cases: The risk that police wave the victim off, or tell her it’s “just the Internet,” or suggest that she spend less time online. That response is actually the typical one, Citron said. And when that happens, there’s absolutely nothing victims can do.

Maybe this investigation seems to be taking a long time — but for some sad, backwards reason, it’s a victory that it is taking any time at all.