Especially with these stupid gambling services: you only need to change the txid so the actual better can have plausible deny-ability in the doublespending, and being successful only a small percentage of the time is enough to shift the odds in favor from the house to the player.
Might be worth offering two alternative hypothesizes that the data also works for:
(1) attacker spent a whole lot of BTC to frame ghash.io by paying it to a well known address of theirs unsolicited.
(2) ghash.io sold their hashpower to a third party, who used it to perform the attack and the payments were payments for more hashpower.
(IMO, (2) should be regarded as the community as even _worse_ than attacking themselves, ... but I know that the community doesn't regard blindly selling hashpower as treacherous.)
(2) is possible, but we need more data.
It would be good to hear from someone who had been mining on ghash back then to check their earnings.