I don't follow your argument here - why would a thief, on finding an exploitable instance of Geth, transfer its funds to an address derived from a weak private key? Is that the only way this exploit works?
That is what I thought, but in this case, the ether that are presumed to have been stolen are those that have shown up at addresses with weak keys and then moved to another address (one without a guessable key), often as soon as they show up at the first address. The authors tested this hypothesis by moving a dollar's worth of ether to one of these addresses, and it was immediately stolen from them. I do not see how one could conclude that these presumably-stolen coins were stolen through the Geth exploit.
