> how the site will send the 2FA code request to the bad actors phone, instead of the real users phone?

the 2FA code in this case is in the email, not via an app. This email is triggered by BAD on their end, but it is sent by GOOD.

If the 2fa is _only_ via the authenticator app, then the BAD will need to convince the user to type in that 2fa code from the app into the BAD site (which is harder, as nobody else does this, so it should raise suspicions from the user at least).