I have an old copy of brainwallet.org running because of the useful utilities and just rechecked it using a network inspector few minutes ago: it didn't store or send the passphrases I entered.

I'm thinking about follow possibilities:

• He used this address with a software which had the RNG implementation faulty, his private key was exposed to the cracker after recovering the R value
• brainwallet.org turned into a full scam site a few hours to days before the shutdown
• His passphrase was too weak, example: wrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhw rhwrh has 84 characters but it's still guessable
• He had the private key in the clipboard while pressing CTRL+v in the wrong browser window without even noticing
• He had the private key imported into an insecure wallet software and forgot about it