Maybe spammers check if an email address is legitimate by checking HIBP. A pretty significant fraction of legitimate email addresses probably do show up in at least one list.
If you run a web service and want to proactively expire breached passwords, you need to have full list of plain-text passwords to hash them with algorithm you are using (and use the same salt if you are doing that too).
The compromised servers might be doing some primary work to which these queries are incidental, rather than for the purpose of scraping the database.
In such a case, the API may be saving them from needing to build infrastructure to accumulate the database and either distribute slices of the data or host their own API for their distributed software to use.
While the database may be valuable, they'd still have to invest a lot of time and some amount of money, face the same need to secure their API against exploitation by others, leave a stronger footprint leaving back to themselves, and have to depend on a service that is more likely to get flagged as a sure sign of suspicious activity than HIBP...