You are describing rare, single digit numbers of events that netted enough to be characterized as hundreds of millions / year for a short time period. That's "extraordinary". Meaning that skill alone doesn't guarantee that earning level.
Generally, single digit millions/year seems a reasonable expectation for a very talented (and ethically flexible) exploit practitioner. Beyond that requires luck and right place / right time.
Hundreds of millions, per year, to a single exploit specialist, is. Not arguing your general point of financial benefit for world class exploit specialists. Just arguing the scale.
>Stealing $100M over two years from FB and Google?
Yeah, I think at this point the largest actors in this field have stolen $1B+ just by themselves.
>Social engineering isn't an inferior skill to actual code exploits.
For this specific purpose it probably is. With a single webmail exploit you could trivially be stealing similar amounts in days from vast numbers of businesses. All you need to do is automatically (or manually) replace bank account information in the emails. This is a relatively simple task to automate.
A $20M wire being sent to some random bank account copypasted from OWA is nothing out of the ordinary. There are thousands, probably tens of thousands potential targets.
At least the FBI seems to think that these email compromises are a 5 billion dollar industry, https://securityledger.com/2017/05/fbi-business-email-compro... We haven't even seen any fancy 0days being used yet, the whole industry is prime for disruption by more sophisticated, more efficient actors.
In the face of all this it really seems hard to argue that a world class exploit dev couldn't be earning hundreds of millions a year with relative ease.
Wire fraud in the high tens of millions is a daily thing. Shit out a OWA RCE bug and you can make billions swapping out bank account info in emails.
All the money in the world is controlled by insecure computers, of course skilled exploit devs can drown themselves in it.