"First off, the selling of coins into another coin to drive its price up doesn't make sense when the hacker could just sell the coins for a privacy coin and then get them off the server."

It does make sense when you consider that API keys allow for different settings, usually when you create an API key for a bot you don't tick the "allow withdrawals" box thus withdrawing with the hacked keys was actually impossible. So they went for the next best option, to pump a coin they bought.