I don't see how that's relevant; there are many ways bad passwords could have been entered. We have no way to know the package wasn't tampered with during shipping. The unintended recipient could have handed it off to a friend to handle the shipping back to the original owner, and that friend could have been bored. Whoever levied the import duties could have also opened the package and been bored enough to start typing in random passwords, before repacking it and shipping it onwards.

Where did "90 times" even come from? I can't find that number documented anywhere in regards to Activation Lock, even googling specifically for that number in case there were anecdotes online.