How do sites detect credential sniffing, and what is the purpose of this attack?

We can't know how Unsplash detected it unless they tell us. However, many large websites have some sort of abuse tooling to automatically detect patterns. For example, Unsplash may import compromised credentials from public databases and match logins on those accounts from certain shared IP addresses. Clearly they've seen this pattern before since they have a pre-canned email about it.

In general, any site of reasonable size that has a social aspect where there can be likes or ranking of items is subject to abuse from bots who sell paid likes. As for who would want this, consider being able to put on your resume that you're one of the top ten most popular photographers on Unsplash. That would be very appealing indeed. It may also cause search engine rankings for your user ID or name to be better, especially if they show up on a favorites or top photos page.

As for why the attackers uploaded images, because it's very easy to find empty accounts that only give out likes. If a user engages in a variety of types of activity, it makes it seem less suspicious, so the site is less likely to catch on to the pattern. They also may like unrelated accounts to make it less obvious who's paying them if they do get detected. Most sites don't permit gaming the system in this way (or using automated systems to do this) and the attackers' service wouldn't be very popular if many of their customers' accounts got cancelled.