Long story short, our company's passowords got leaked, which led to many successfull logins to our sites, FTP servers, cloud accounts, etc. Causing many data loss, plenty of time to recover it and prevent it from happening from the future.
It is our fault, we stored our passwords in a file, which was located on our cloud, but the one who did it must be someone who might have access to that cloud, possibly someone who worked in the company in the past.
I installed a plugin to one of our WordPress sites to see the login attempts. I can see the IP of a person who tried to login with the correct password (however, we changed it already). When I tried to look up some info about the IP able, it was an IP of a TOR browser. I am new to this, but AFAIK it is practically untraceable.
My question is, is there a way (easy or hard) to trace this attacker?
Practically, no.
Tor is designed to obfuscate the origin of a connection. In order to break Tor's anonymity, you'd have to see the traffic entering and leaving the Tor network. With some clever correlating you could then find out who's connecting where (the NSA & co are doing that) but for a normal person/company this is impossible.