Ah, it was a vulnerability with wp-automatic that was reported August 20th and fixed later that week.
Looks like they could set any WordPress option…
I speculate that they changed admin email so they would receive a verification email informing them of vulnerable sites.
Then they follow up changing the url, which lets them see what plugins and versions you use. All the css and js files for your extensions get remapped to their domain and the version number is in the url for cache. Wow
Then they can use a more specific attack if their scanner sees that you’re using a vulnerable plugin.