What's actually happening is that the 3rd-world scammers are totally bypassing any old email lists, and going straight to the WHOIS data for emails from any major Internet provider with a customer service phone number (i.e.. Verizon, AT&T, Comcast,. etc) and then forwarding these lists to massive call centers.
Then cheap labor mass-calls these providers and plays the old "I am sorry, I lost my password" social engineering trick (using your WHOIS address and phone info to authenticate) to gain access to your account, and by virtue all your emails. And then a quick password change later they are playing the "forget password" game at your registrar account and quickly transferring out all your valuable domains.
If you have 2-factor authentication, they then just call your cell phone company and port the number out (again using WHOIS address/phone data) and defeat it that way.,
The most vulnerable part of any security plan are the people sitting in CS at your local Internet provider, happily giving fully account access to Nigerian, Kenyan and Moroccan scammers who only need to provide them your address and phone number. The lack of security protocols and accountability is appalling and I highly recommend these steps to negate these CS nimrods:
1) Do not use an email for WHOIS from any source that has phone support.
2) Do not use an email for Registrar accounts from any source that has phone support.
3) Use a different email for WHOIS than you do for Registrar account access.
4) If possible, use multiple email accounts from domains that you control - zzzzz @ mysite.com for WHOIS and xxxxx @ myothersite.com for Registrar account.
Remember, these thieves are looking for quick scores from calling well known ISPs, and like any security system, you are simply trying to dissuade jokers like this from making an easy theft. They see "admin @ sdjeuyydkkes.com" and they quickly move along to the next victim.