The hacker - one Richard Kirk - cracked the passwords to the eBay accounts and from there accessed the victims' PayPal accounts. He then proceeded to transfer the money from these accounts to his and, finally, to buy stuff with the appropriated funds.
Among the things he bought were actual gold bars, whose delivery was monitored by the police after having been contacted by the owner of one of the compromised accounts. According to thisisnottingham.co.uk, Kirk was arrested "with his laptop on his knee, surrounded by parcels" after the postman left.
Whether Kirk managed to crack the passwords to the eBay accounts by guessing or by phishing has not been reported, but given the fact that compromising PayPal accounts gives attackers direct access to money, it is no wonder they are the most targeted online accounts by phishers.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.