Yeah, I'm not following this either. TTM waits for confirmations, so if the network has confirmed them, they should be good (aka not fake). Plus if no accounts had the deposits, how were they able to withdraw? .
Short version: we used block.io as a callback provider. Someone bruteforced the deposit password and our system trusted this source (should have double checked)
Really interesting stuff! I wouldn't even know where to start when exploiting things like that. As irritated as I get when people do hacks like this, there's also a certain level of respect I have for their ability to find loopholes and such.
That said, I wish they'd leave TTM (and my investments!) alone, :p.