Sniffing around it appears clear that TT was penetrated some time ago, and at some point, 'pros' got involved and emptied what they could. Subsequently the vulnerabilities have become a little more public and the odd script kiddy has been picked up trying it out. I'll bet it will be IP addresses that caught these little rascals, but there will be no evidence of large scale data theft and forwarding.