Seems like a variation on brute force
"We want to find out the email address. So first we send aaa@example.com and get back, say, 200 bytes of compressed encrypted data. We next send a combination of addresses until we hit bob@example.com and get back 184 bytes"
So in other words it just guesses at the email address. Presumably it'll have to do the same for any bank account/social security numbers too? Good luck with that. I suspect the bank server will become suspicious at all the failed attempts and lock the account long before the trojan manages to guess anything succesfully.