It sounds as if the attacker only got the hot wallet, but that unfortunately there was no cold wallet.

It beggars belief that people are still not using offline wallets for the majority of the coins they're responsible for.