I think how that is accomplished is fairly easy. The backdoor or security vulnerability is left open on purpose by operators, and when the time is right is exploited by the persons who left it there in the first place.
The result: If done right there is plausible deny ability if the "hacker" ever becomes a suspect in any criminal investigation.
That goes for the more sophisticated scams, lesser ones probably just cut and run..
Yes, "plausible deniability" is a good phrase.
Play dumb and pretend the hackers were really "sophisticated" (usually located in some far off place like "Eastern Europe" or "North Korea" or whatever you're having yourself).