The idea is simple. We build a proxy that connects to Nicehash as one or more stratum clients (both EU and US endpoints preferably), and acts as a stratum server to miners.
The work that Nicehash sends contains the previousBlockHash. We run full nodes to all coins using Lyra2REv3, and index those blocks. We can then lookup the previousBlockHash that's part of the stratum work in our set of known blocks. If it is absent from there, there is most likely someone privately mining blocks.
We add a public frontend to this data that shows all work on blockhashes not matching any known public blocks. We keep the work given to the miner archived in a database, so that in case of an actual reorg we can prove Nicehash was used to conduct the attack.
The reason for actually mining versus just connecting to stratum and reading work, is that Nicehash will eventually kick you off their stratum server if you don't submit any work.