They wrote there were no funds left. Imagine the attacker, they most likely setup many LN wallets at custodial providers (Bitlifi, Wallet of Satoshi, etc) with fake data (mobile phone, email) and just sent LN payments between them to make the tracking worse. I guess in the end, they sent it to something like FixedFloat and exchanged it for Monero.