They knew the host of the service via the domain they would have been hitting, (presumably?) they knew the maintainer's handle as the code was open source, and the OP said that they knew the victim, as the hacker had some kind of identifier used in the attack. They had enough to triangulate the owner and/via the maintainer.