A wave of credential stuffing, with no attempt to use the accounts. A pause. The accounts are accessed but not leveraged. A pause. Then, a flood of transaction fraud, using either the taken-over accounts or new ones set up with similar personal information.
The catch: The stages of this process may occur days or weeks apart. And they may not all take place on the same websites.