They're linking to the original source of the news, which literally names "the sites".

No it does not. What sites appeared in the "stealer logs" with his email?

Ah, I thought you meant what sites list the stolen credentials. The exact overlap of websites across four separate stealer logs is enough to leak an email address pretty reliably. The only thing that's "telling" for is that they're not willing to dox this person.