Leading up to the hack the "cold wallet" was online almost daily.  In fact the whole IO from the wallet looks completely automated.  If that was the case perhaps the attacker didn't have direct access to the device holding the cold wallet, but instead a computer which controlled the cold wallet through API commands?

Also does anyone know what the small output associated to the larger output is?  This small value seems to be transferred to a fresh wallet and slowly diminishes over time.  looks like it is in part covering the TX fee.