There are a dozen of issues with this scammy paper.

The most important is that it only worked on a couple of clients that didn't check signatures. These clients only connected to a static set of semi-trusted relays and changing the relays they connected to would require a manual typing operation from the user.

For the attack to work it required victims to manually type the URL of the attacker relay, which makes it completely absurd.

It's like telling someone to visit "verysecretnotscammywebsite.com" and type all their secrets there, then read their secrets because the website leaked them and write a paper claiming that the web is broken.