Accounts with third-party service providers were used “for exfiltration or infrastructure,” according to a post by law enforcement on LockBit’s seized darkweb domain.
By pwning it. You dont have to find it to pwn it. You just have to be able to send data to it, which everyone can do because whats the point of having a server if noone can interact with it. The attacker just interacts with it in a way that manipulates it to execution attacker controlled code. So for a .onion website for example you find a vulnerability in the websites code and exploit it to make the server the website is running on do what you want.
By pwning it. You dont have to find it to pwn it. You just have to be able to send data to it, which everyone can do because whats the point of having a server if noone can interact with it. The attacker just interacts with it in a way that manipulates it to execution attacker controlled code. So for a .onion website for example you find a vulnerability in the websites code and exploit it to make the server the website is running on do what you want.