Comment by WaitWaitWha

> ... The hackers would still need physical access to the hard drives to use the stolen recovery keys.

This is incorrect. A full disk image can easily obtained remotely, then mounted wherever the hacking is located. The host machine will happily ask for the Bitlocker key and make the data available.

This is a standard process for remote forensic image collection and can be accomplished surreptitiously with COTS.