Re: How did the crims create the sub-domain?
That's almost correct. Two points:
1) I have never dealt with Verisign but I assume they do not give certificates for hostname only and they also do require payment. Which means that identity of crooks would have to be revealed when applying for the certificate, or at least they would have to hide behind someone else's identity. Let's Encrypt does not take payment and does not perform any other check than hostname only, making it ideal to keep one's identity secret.
2) this works for crooks when either of DNS server or HTTP server (to which a wildcard points) is hacked. Given past state of BIND DNS, the former option is unfortunately quite possible.