I've had a couple of cases to date where email addresses compromised by malware then discovered in the course of investigations have been provided to Have I Been Pwned (HIBP). Firstly by the Estonian Central Criminal Police a few years ago, then by the FBI and global counterparts this April and now, in the third such case, by NordLocker. (Full disclosure: I'm a strategic advisor for NordVPN who shares the same parent company.) NordLocker has written about the nameless malware that stole 1.2 TB of private data and the first sentence sets the scene:
Between 2018 and 2020, a custom Trojan-type malware infiltrated over 3 million Windows-based computers and stole 1.2 terabytes (TB) of personal information
NordLocker goes into a lot more detail in the link above so I won't repeat it all here, but what's important to understand as far as HIBP is concerned is that they're in the same position as the Estonian Police and the FBI: they're sitting on a bunch of compromised personal info, now what? As with the two law enforcement agencies, NordLocker's goal is to inform impacted parties which is where HIBP comes in so as of now, all 1,121,484 compromised email addresses are searchable.
As with the data provided by the FBI and co, this incident has been flagged as "sensitive" so it's not publicly searchable. For individuals, verifying your email address by the notification service will show if it was in this data set. For organisations, the domain search feature will allow you to search across the breadth of any domains you can verify control of. For guidance on how protecting against malware, read NordLocker's report on the incident.