They would have gotten a valid certificate that couldn't be tied in anyway to their identity.
Coupled with e.g. a XSS vuln on a secured website, you could serve a nasty browser exploiting payload from a secure site, without any warning such as "this page is trying to load stuff from an unsecure site".
This in only one scenario, there are others. This really was pretty bad.
Not even the paid certs that most people buy are tied to identity. Those only validate control of the domain (usually by having you whack some garbage into a DNS TXT record).
Yet another reason why the SSL PKI is a scam and a racket.
By proving control of the domain, there is a link between the certificate and the person asking for it thru the registrar. And thru the payment information to the registrar, you can usually get to someone.
It's a tenuous link, but a lot better than no link at all. At times enough for law enforcement to follow the tracks.
(edit since we reached maximum comment depth) Control of an IP address doesn't mean trackable ownership of it, you could use any machine your just compromised and instantly have a valid certificate for it. Delays in certificate issue add a thin layer of security, even if you gained unlegitimate control of a domain, the interval before asking and getting a certificate offers an opportunity for the intrusion to be detected and remediated.
Instant valid certificate for any IP address you happen to compromise is really quite bad.
Anything you pay for is ultimately traceable, at least by law enforcement, unless you're using a stolen credit card or a BTC tumbler. And even then, depending on the effort they're willing to invest, investigators could probably track the sale of the credit card number to you, notice that the BTC tumbler was pretty quiet when your money came out of it and there's only a couple of possible Coinbase accounts responsible, etc.
Paying for an SSL cert does make people a bit more accountable, but I'd argue that that's a bug rather than a feature.
