Otherwise, this sounds similar to scam emails that I regularly receive. (No conferences involved.) So I'd bet the situation is "legal", at least in the sense that nobody with real power cares to shut it down.
Idea: If some of the targets were from large institutions, and some of their credit cards were company-/govt-/university-issued, then suggest that they tell their email admins to globally block everything from Doc-U-Scam.con, to protect their institutions from fraud. If enough email systems bounced everything from those folks, then it'd seriously damage their business model.
Academia, at least in math, has a tradition of being public. Conferences will advertise at least the list of speakers, and sometimes the full list of attendees. This is widely considered a good thing; people trying to decide whether to go to a conference will want to know who else will be there.
Moreover, the conference organizers have sent out multiple emails to the attendees warning that scammers were targeting them, and emphasizing that there were no third parties legitimately involved.
So I can't and don't fault them.