Not every system has an account lockout, and not every attacker is coming through the front door.

Sometimes the attacker has stolen a database full of hashed passwords. Since that means they now have a “backdoor” and can access the data without using the main service (the front door), they can write a tool to make attempts at finding a match for the password data in the database *without* a lockout or the relative slowness of accessing the internet.

This is also dangerous because once they steal that database the data never goes away, so even if it takes them months to crack some of the passwords, they might have nothing better to do than let their tool attack it until it finds something.