Or the legit site was hacked and copied as a 1:1 except the address was changed as to not cause any stink. That would be my guess.
Well he was on a darknet site lol, comes with the territory.
I know I think the same thing!
I found out how it works for real. The phishing site forwards all your requests to the real, legitimate sites and presents back to you the real site too. Except, their man in the middle backend steals your credentials and swaps out the bitcoin addresses presented to you. So that's why the legit login worked. I've taught myself how to PGP verify darknet website signatures to make sure they are legit, so hopefully that will be the only time that happens