I have to say, it's a rather sophisticated attack. This is beyond usernames and passwords because every transaction also requires an MFA challenge, which somehow, the perp was able to circumvent. Unless the victims have also been "sim-swapped" without them being aware of it. But to me that's a little far fetched since something like that would've been the first thing they discovered after they've known about the unauthorized transactions.

Too many unknowns at this point but I'm pretty sure this is not the action of just one person.