Russian IPs are used, because russia won't help the american authorities with investigations. If I was an american and hacking into <whatever american thing>, I'd use russian IPs too.

Couldn't you route through a Russian IP for anonymity and then a US IP for access?

It's not anonymous if the US IP has a real life connection to you.

I think what the original commenter meant was a multi-hop setup like this:

You -> Russian IP -> US IP

then you'd get anonymity via the Russian hop but aren't geoblocked due to your final hop being in the US.

I'm sure there's at least one VPN service that has US IPs and takes Monero.

Which is fine for the attacker here. All they need is to hit the login endpoint from an IP that's geolocated to the US. They don't mind if it's possible to trace it to their Russian IP. And that's roughly all that the VPN service sees. I explicitly mentioned Monero because I believe that when used properly, it wouldn't add any extra information.

Mullvad

Russian IPs were in the pool because it never occurred to them to check where these IPs were geo registered

Yep, pretty much impossible to disentangle careless incompetence from malevolence with these goons.

Yup. That's what they're counting on.