Whoever did the hack doesn't have to spend all they just have to convert a couple million Nem to eg Monero and that's it. They are in a safe secure and very anonymous crypto. There are also websites that mix up your coins with other people's to add even more anonymity. They might not be able to spend all or to cash out all but certainly millions if they do it right. I expect criminals to try to be criminals but a financial service company must be expected to be professional and have the highest security possible. WTF happened?
And if some Nem are now "dirty" and cannot be spent what does that say about Nem's anonymity?
What would stop a maliscious actor from tainting innocent people's Nem as being dirty?
I own some Nem by the way.