I think that if what you are saying is true, then it is possible that brainwallet.org was a scam site all along and was storing peoples passphrases.
I have an old copy of brainwallet.org running because of the useful utilities and just rechecked it using a network inspector few minutes ago: it didn't store or send the passphrases I entered.
I'm thinking about follow possibilities:
- He used this address with a software which had the RNG implementation faulty, his private key was exposed to the cracker after recovering the R value
- brainwallet.org turned into a full scam site a few hours to days before the shutdown
- His passphrase was too weak, example: wrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhwrhw rhwrh has 84 characters but it's still guessable
- He had the private key in the clipboard while pressing CTRL+v in the wrong browser window without even noticing
- He had the private key imported into an insecure wallet software and forgot about it
Everything you are saying is correct and ultimately we won't really know what happened unless the thief/hacker/scammer/etc tells us.
But I just think it is suspect that brainwallet.org would shut down because of a brainwallet cracker program presentation?
Seems unusual to me. If the brainwallet design is sound and people use it appropriately, then you don't need to take the site down.
I'm also now thinking LiteCoinGuy might be right when he said:
... or there was some kind of bug in the code...
That would explain why the site went down if it was not a scam site, IMO.