@pollyplummer at WP Tavern also published an article about this. Good recap.
You hear similar stories in other “addon communities.” Shady individuals/groups offer large sums of money for established and reputable plugins, who then violate that trust by adding in malicious code. The original owners, struggling with monetization and overwhelmed with support, see it as a way out; unaware of the buyer’s true intentions until it’s too late.
For example, here’s a story about a popular Chrome addon being acquired and hijacked by spammers.