Probably experts in rubber-hose cryptanalysis.
And not experts in securing their site from malicious actors using it as a base.
It’s common in phishing schemes to either have a non-functional site hosting only the payload or one that hosts a full front appearing like a normal website, usually a blog with news.
Seems like a real company too e.g. https://pdf.indiamart.com/impdf/20303654633/MY-1793705/alumi...