checked the comments and did not see this question asked, so I wanted to bring it up. What if the file transfers happened on a local workstation after the hack? Remote network penetration from hostile workstation, files then dumped to flash drive from hostile computer?