Can I run with an Apple Watch in the rain?
I've just checked on Whois.us. Both domains are registered to the same person, with a stated address in London.
Try talking to the internet fraud team from your local police. Chances are they're overworked, but if they've got some free time then they may be able to go to TLDsolutions.com and trace the payments. For most countries this would be a dead loss, but US ISPs have to keep records and play nicely with police requests. So they may have screwed up by using a .us domain.
Call the police and sue them in court! That will show them you can be mean. Moreover, it will be legal and you will stay out of trouble.
The attackers are skilled enough to not enable the phone and to set up a fake Find My iPhone site. This clearly shows they understand fairly well how the iPhones security features work and are trying to trick you into revealing the credentials that will let them get around those.
Unless you are highly skilled yourself, they probably have the upper hand in this. The fact that they reach out to you like that shows they are willing to take a (small) risk to get your credentials, so your best bet is to not give them what they want. It is unlikely that you will find a trick that they didn't anticipate, and more likely that in trying you would give them information they can use.
You should get the IMEI blacklisted, if you haven't yet. This is the best effort to make the phone useless for the thieves. With any luck, they'll ditch it somewhere, someone else finds it and turns it on, and it will show up on Find My iPhone.