Hackers will often use a VPS to help make it harder for them to be identified in a hacking event.
Hackers may funnel their traffic through VPS servers so that it's not as easy to detect them like it would if they used their own computers through their ISP.
Flexibility: fire up/tear down task specific machines in mere seconds (IaC is real); need a quick api? A windows box? No prob. Need that tool/task/job on for a week? Well - mom/significant other/cleaning lady/cat won't bother with your VPS.
Performance: need some firepower? You got it the touch of a button. Solid global upstream bandwidth? Yup. Got bigger fish to fry? Have at it from various globally dispersed cloud and service instances at the same time.
And OPSEC: knocked on the wrong door? Not a prob - it's way harder to identify your free tier AWS box hiding among million others than spotting your home IP or your "we do not log" logging VPN.
The ability to tear down and spin up incredibly quickly. Also there is the ability to spin up multiple machines for different usages. I have a script that once I SSH into my VPS for the first time I run the script and it updates the machine and installs all the tools I use regularly.
Need a machine that's on 24/7 that doesn't lose it's internet connection, then a VPS is for you.
Another huge benefit of a hacker using a VPS is the ability to choose how much power you need the VPS to have depending on usage.
Public IP addresses are much easier to configure for handlers/listeners. You don't have to set up port forwarding rules through a router because everything is going straight to your server IP. Any firewall rules that are in place you set up server side.
The ability to set up a mail server. You do have to sometimes contact the the hosting provider for them to allow this usage of port 25 because it is blocked to stop spammers from using their service.
Want to crack some password hashes but don't want to build a 8 GPU rig several VPS hosting companies have a multiple GPU option (they are expensive so don't for get to turn them off/destroy them when finished).
Need to throw up a quick fishing page or a poxy to MITM a real login page a VPS is the easiest way to do this.
If you want to scan a large block of IPs, because of the bandwidth you can get with a VPS this is the way to go.