Yeah, but the person paying may not actually be aware that they are paying for it. The fraudsters could be using a stolen credit card to pay for hosting, or just hijacking someone's cloud account. I've seen more than a few occasions of employees of large corporations throwing their own instances in with the company's massive fleet, I wouldn't be surprised if some of those were used for nefarious purposes.