I feel like it's more likely someone got caught by their org noticing their credentials being used to dl ridiculous amounts of papers, and fell back on the "wow, that's so weird; I must have been hacked" excuse.
> It always seemed unlikely that Sci-Hub’s archive was entirely contributed by concerned citizens.
Note that Sci-Hub's model wasn't concerned citizens uploading articles, but academics (allegedly, at least) sharing their credentials and Sci-Hub using those to download requested articles if they didn't have it in their own caches yet. With that method, it seems a lot less unlikely to me that a relatively small number of academics could have "contributed" many articles.
Phishing, though, crosses the line. Once you start tricking people and removing their agency, you’re the bad guy.