Probably GMX already locked him out of the account, Peter Todd is reporting that emails are bouncing back. Taking into account how stupid the hacker looks like, he probably didn't dump all the emails - if now he is locked out he will have no way to prove he was the original hacker because he didn't even create a PGP key for that purpose...
Amateur time.
That would mean the e-mail in the account exist unencrypted somewhere since only a password reset was needed to access it. Makes one wonder what would happen if a GMX admin has some free time to snoop around in his locked e-mail account?