Victim used a wallet generation sofware pulled from GitHub, generated an address, received a transfer, and then the funds immediately transferred to the threat actor controlled address.
I sent my USDC to my friend's account: 0x564e6d1cceB3a9A73FB00bAA90143C1D523b4D3D
which got rerouted immediately to this account:
0x8F0666bc23936D0F35b1C3fC19C7eC0895c04049
See txn:
https://etherscan.io/address/0x564e6d1cceB3a9A73FB00bAA90143C1D523b4D3D#tokentxns