4 points
They got access to the email accounts so credential stuffing and checking which emails had crypto if i had to guess.
Some additional reading here: https://www.justice.gov/opa/pr/man-convicted-violent-home-invasion-robberies-steal-cryptocurrency
Though there have been crypto companies with data breaches, like coinbase, so they could’ve always specifically targeted people who were known to have crypto from such leaks.