I wonder how they're doing it. If the wallets are password protected they have to somehow inject troyans with keyloggers. Otherwise they'd only be able to obtain wallet files but would need time to crack them. Maybe the wallets had no passwords? That wouldn't surprise me...