Yes, you are missing the fact the scammer has acess to your email, and is watching every email you get and every conversation you have.
That is how this works. Without access to your email address it doesn't work.
Many times after you send $, they will even change your password to your own email so you can't even get back into it to see what the fuck happened.
So let me break it down like this.
MESO_USER's password on BOP is ILOVEMESO.
BOP gets compromised and a hacker sees MESO_USER email is
MESO_USER@protonmail.com and password is ILOVEMESO
Scammer goes to
meso_user@protonmail.com and logs in, because Meso_USer didn't take proper precautions and used the same password for their email as BOP, and they are not using 2FA.
Scammer waits, and watches....
The rest is as above.