It's not DDOSing, it's credential stuffing[0]. Hackers find leaked databases which contain username/password pairs. They then try username@protonmail with the password from that database (or they just try the top 1000 most common password). If they get in, they suddenly have control over someone's email. From there they can password reset any of the user's other accounts, some of which might allow them to buy real world items.

The best mitigation as a user is to never reuse a password, however protonmail cannot enforce this. From their side the best option is to slow down the hackers as much as possible so it's less likely their more vulnerable users get compromised.

[0]: https://en.wikipedia.org/wiki/Credential_stuffing

I’d be curious as well, but chances are they’re experiencing credential stuffing attacks or dictionary attacks against account passwords.