Unfortunately, having clearnet sites and un-encrypted emails with google/yahoo/protonmail etc means it only takes one slip up.
Protonmail is encrypted. AFAIK they weren't able to access the emails, but the name of the email gave them a clue where to look next. They got to the email name, so they started to look for this email in various domain registrations, forum accounts, and also for the alias used in the email.
They were also checking IP addresses used along with the email for various logins, domains, and so on.
Basically they were gathering anything they could, like if the account had a phone number as password recovery, they'd check that number. If it had an IP address that someone used to log in, they'd search for that IP and if it was used with other email providers.
Basically warrants for information went to numerous services from email to social media to exchanges, leading them eventually to him via different alias'. Whether he was simply involved with hosting the clearnet site, or even just a user, rather than admin, is another story though as the evidence seems to lack his direct involvement. Unlike with previous darkweb market takedowns for example, it's usually a requirement to catch the suspect "logged in" as it were, for concrete evidence.
That's correct. The fact that a user registered a domain, or had admin rights, doesn't make him the only person running the show, but the US likes to give people the good old stick before the carrot treatment. The idea is to get him to talk, give up everything, and later screw him into a life sentence like they did with Ross. Poor guy gave up his wallet passwords in hope for lower sentence and got life anyway.