If anything, this was an out of control CIA disguised as a Russian bank pinging the Trump servers to make the lie look real.
I've got an even better theory. The CIA ran implants both at the Russian bank and on Trump's server. They used DNS for covert comm.
I think you nailed it
The timing of the account re registration within days of the FISA warrant suggests someone was looking to bolster a case for wiretapping and picked a long defunct hospitality account that was being spammed
Except the misspelling in the domain name also looks like a deliberate setup
Why the FBI has let this drag on without tesolution does not suggest they are stumped, it suggests they are complicit