After reading Krebs' initial take on the incident[0], I think a plausible explanation is that whoever created the hack isn't the person who exploited the hack.
The hacker managed to get an amazing level of access, but exploiting that, and extracting value from it, and getting away clean is probably really hard. So they sold the access to whoever was willing to pay for it for a guaranteed return. That also gives you an extra middleman that law enforcement has to get past before they get to you, and confusing the trail between the middleman and you might be easier than confusing the trail between your targets and you.
Except whoever paid for the access and used the exploit just didn't have the imagination to do something that made as full use of the hack as they might have done. And now dozens of other criminals are facepalming themselves to death for not having been the ones to have bought this opportunity for their own ends, which they think would have been much more epic.
The hacker managed to get an amazing level of access, but exploiting that, and extracting value from it, and getting away clean is probably really hard. So they sold the access to whoever was willing to pay for it for a guaranteed return. That also gives you an extra middleman that law enforcement has to get past before they get to you, and confusing the trail between the middleman and you might be easier than confusing the trail between your targets and you.
Except whoever paid for the access and used the exploit just didn't have the imagination to do something that made as full use of the hack as they might have done. And now dozens of other criminals are facepalming themselves to death for not having been the ones to have bought this opportunity for their own ends, which they think would have been much more epic.
[0] https://krebsonsecurity.com/2020/07/whos-behind-wednesdays-e...