Our community was hit with a huge number of spam registrations in March. See the Tsunami topic. Some of the registrations got through while most were in a pending status (we use aMember for our current 3.3.4 board - register externally and then SSO). Whether the registration got through or sat in the pending status (awaiting email validation), we had to evaluate the domain name of each registration. If it was xx@buildingsupplies.com, we banned that domain because we want our community to have personal email addresses. But many of the registrations had domain extensions like me.com, gmail.com, outlook.com, hotmail.com, aol.com with real names attached. We couldn't ban those domains so we checked the registration to see if the username and the first name and last name were all the same. If yes, then we deleted the registration. All this to say it was an eye opener to see just how many real personal email accounts had been obtained on the dark web.
Maybe start compiling a list of the email addresses from accounts that you are deleting, and perhaps see if they compare to the IPS banned list? Also, notate the date of registration? These suggestions are along the lines of what the IPS staff is suggesting, that these bad apples snuck in months ago.
One thing we do that helps to verify a registration is include a few additional registration fields: Country, State, City ... so we look at that information in the real registration or the pending registration and if the fields don't agree, that's a first flag, and if needed, we check the IP address of the origin and if that IP address location doesn't agree with the Country, that's another red flag.
If these spammers have the login access to the actual email accounts which I think is what Jim M is inferring in the quote, then there doesn't seem to be anything you can do other than to ban that specific email address.