My dad got phished. I think I may have prevented most of the damage, but I’m trying to understand what the scammers were doing. Help, please?

I’m trying to understand what was the point of all these transactions.

So, my (older) dad tried signing in to his Kraken account. I heard him complaining about all the trouble he had signing in, so I went over to check what was up. Sure enough, he had searched “kraken” on Yahoo (of all engines) and clicked on the first result: Krakeln.

Realizing his mistake, I signed into his account on the actual Kraken website, and immediately disconnected his bank account and changed his password. Then I checked his transaction history. The “hack” lasted about 25 minutes, so surely the scammers had enough time to transfer funds to their own wallets. But instead, this was the list of transactions:

Converted BTC to ETH

Converted SHIB to ETH

Converted ADA to ETH

Converted ETH to USDT

Sold USDT for ~6,800 Euros (mind you, he’s only used USD in the past)

Bought ETH for ~6,800 Euros

tl;dr: It looks like they just converted all his holdings to ETH, converted that to USDT, sold the USDT, then bought the same amount of ETH.

Was I able to stop this before he lost money in anything other than fees? It doesn’t look like they transferred anything in or out, unless I’m misunderstanding. If I am understanding correctly, why would the scammers waste 25 minutes just converting crypto?

Thanks for any help.