There is the potential that netflow data was sold across any potential VPN providers as well metadata could have been extracted around the XMR nodes they were connecting to.