Hello lee1751, thanks for your question and welcome to the forum
You are right to say that if a hacker owns many new, unused addresses, there is no way we (or anyone else) could know it before he uses them. This is because there is no known association with any other addresses yet, and hence there is no data for any sort of analysis to happen.
It is also unfortunate to say that some attacks are just not preventable on our part, such as exchange hacks or direct attacks to compromise smart contracts – basically those that exploit vulnerabilities in systems. The only way for us to know that something bad happened is only after something bad happened, as it is not possible for us to be aware of all the possible exploits that could possibly happen.
In such cases then, once the hack has happened, what we can do next is to stop the hacker from cashing out. Once we detect that the hacker is moving funds to exchanges, we would be able to inform the exchanges to freeze the funds and immediately end the hack right there. If everything goes well, no funds would be lost to the hacker and victims could be compensated. This is the reason why we have the ICF API so that exchanges and wallet providers can integrate with us and get the latest data from our TRDB. If the hacker cannot cash out, he has nothing
I hope this answered your question!