It’s been more than three weeks since Sony Pictures employees arrived in their offices to find threatening messages accompanied by glowing skulls placed by hackers on their computer screens, but the embattled studio is still dealing with the fallout. Terabytes of Sony’s internal data has been leaked online. Sony’s been hit with multiple ex-employee lawsuits. Ominous warnings have been issued about attacks on movie theaters that play Sony’s upcoming The Interview.

But we still don’t know a basic question: Who hacked Sony?

The person or people claiming responsibility call themselves the “Guardians of Peace,” or GOP. Early reports suggested North Korea was behind the GOP, and there’s been some evidence of that. But North Korea has denied responsibility for the hack, and it’s equally possible the assailants planted clues leading to North Korea as a distraction.

Here’s why people think North Korea was involved:

The attack looks similar to hacks previously linked to North Korea, according to cybersecurity analysts. In a hack like the one against Sony, the attackers most likely found a way to infect Sony’s systems with malware, probably through an email. Once Sony’s system was infected, the hackers could use what’s called a command-and-control server to steal data. And, as it turns out, the malware being used against Sony communicates with at least one of the same command-and-control servers used in previous attacks attributed to North Korea.

It’s improbable that’s a coincidence, experts say. And the malware itself was developed and compiled on systems set to use the Korean language, another clue pointing to North Korea.

“It’s highly unlikely to see another piece of malware that carries strong similarity characteristics and uses the same command and control server,” Kaspersky Lab analyst Kurt Baumgartner says. “It’s a very unique indicator.”

North Korea has a motive. The leaders of the reclusive nation are furious about Sony’s upcoming release of Seth Rogen and James Franco comedy The Interview, which revolves around an assassination plot against North Korean leader Kim Jong-un. North Korea has called the movie an “act of war.”

The hackers are doing whatever they can to stop people from seeing The Interview. On Tuesday, the hackers or somebody claiming to be associated with them threatened to attack movie theaters that screen The Interview. At least one theater chain has already decided not to show the movie.

But there are reasons to doubt North Korea’s involvement:

North Korea has denied the hacks. The government officially claimed it wasn’t responsible, but praised it as a “righteous deed.” American law enforcement is investigating any possible North Korea links, but so far hasn’t found evidence of one.

It’s easy enough to buy and sell malware. There’s a big black market for malware, and a lot of it is simply traded, repackaged and used again. So the similarities between the Sony attack and earlier hacks linked to North Korea may not be so telling.

The North Korea clues and theater threats could be a red herring. North Korea was making vague threats over The Interview long before Sony was hacked. If random hackers attacked Sony because they found an exploitable weak point, they might have left clues pointing to North Korea and made threats to keep attention squarely on Pyongyang.

It could just be random hackers. Sony has long been a favorite target of hackers around the world. Its PlayStation Network, for instance, has repeatedly been hit by disabling attacks. That’s at least in part because back in the mid-2000s, Sony put software on millions of music CDs that, when put in a computer, would automatically install software meant to make it harder to illegally copy those albums. Sony’s software, however, installed itself without users’ knowledge and exposed users’ machines to security vulnerabilities. Many in the hacker community have not forgiven Sony for the practice, which it ended in 2007.

Read next: These Are the Theaters That Have Pulled ‘The Interview’ After Threat

Contact us at letters@time.com.