My guess is that they did not know. I am hoping someone will see this, and recognise it. Maybe we could figure out together what is going on. The e-mail address from the DNS listing is found a couple of places on the internet, all in the same setting: Recepient from some e-mail service, nothing else.
This is the thing. The only thing that come to my mind is that the attackers knew previously his wife. Since the email is not a common one like info@... or contact@... it sounds difficult to me to find.
Another possibility is that some bot is buying discarded domains and trying to restart password with different combinations
I was thinking about this too. I do not think it was a targeted attack. I guess my wife's e-mail and password from way back was found among the millions of leaked passwords that are available. It would be easy to find domains that are no longer existing in that list. And likewise easy to find if certain web sites would react positively to the e-mail address of the non-existing domain. And then it would just be a matter of registering the domain to get access, at least to some sites. What boggles me, is that someone actually does this. I can't see why.
Maybe someone was scraping that data for expired domain names?