if you know the perp's IP address, you can search for it in:
Control Panel » Member Management > View/Edit Members (admin/membermanage.php)
and then just click on the "Send PM" tab at the bottom to have a new (auto generated) password sent to that user's email address.
I am thinking that someone might have got in to your DB and downloaded the user and their password files, and then is logging in to each of them one at a time. -- OR as you said, a new user took advantage of how you've setup your forums, and they sent out a bunch of Private Messages to your users to log in their DOMAIN, setup to look just like yours... Phishing. With that, they collected passwords from those users, and is using them to continue forward with their attack.
