Interesting analysis. I laughed at how little time you spent discussing the liability of the actual thief. It seems they are rarely caught.
I strongly suspect that signs will point to the fact that this was an inside job overtime. I'm not surprised that they expect to continue operations as normal. Next round of sheep to the slaughter.
Hehe. Yeah, it's not an interesting question because it's so obvious. I too tend to reflexively think that these kinds of things are likely to be inside jobs, and certainly that possibility makes sense.
But an outsider can also compromise one system and leverage that to compromise other systems, over time gaining a deep understanding of the entire design of the operation and penetrating a large number of systems. This takes time though, so they either have to be very good or security has to be very lax for them not to get caught during the long, intelligence gathering process.
It's also possible that security at Bitfinex was much, much worse than we imagine and all the thief had to do was compromise one key or one machine and they could drain all the wallets.