What's happening is that people collect endless phrases and alter them with a ton of standard manipulation schemes, compute the corresponding private and public keys & addresses for all the variations, create a lookup table for the addresses and private keys, and as soon as they see a known keypair in use then they use the corresponding private key to swipe the funds.