Here's another idea, by the way. They obviously have to have another wallet set up on (presumably) another computer to send the cold wallet funds. What if Paul downloaded the Lucky7Coin wallet there, either for personal use or for making a cold wallet for it? That's a MUCH easier and more likely way to pwn their cold wallets than moving horizontally within the network or dropping another payload for Paul to download and then break in.
For the backdoor to work it needs to be able to connect to the perp's server. If Vern - or whoever handled the cold wallet - would only sign TX on the unconnected cold wallet computer and then broadcast it from another machine then there would be no chance for a remote attack. Although a sufficiently sophisticated trojan could probably inject something in the TX being signed but that's incredibly unlikely and you have to be a total donkey to not double check if you're sending 13k to the correct address. Once you connect the "cold" wallet to the net though - it's not cold anymore.
Even the most basic privilege separation (i.e. not running multiple wallets as root on the same instance) and network filtering would have made it so much more complicated for the attacker. Doesn't look like that was the case here. Multiple major security blunders were needed for this to happen.
That's assuming the Cryptsy blog post was at least partially true. It's still quite likely that it's just a smoke screen. We haven't seen any post mortem analysis of the breach or anything like that.