If the "attacker" exposes him/herself and he/she is in the US as he said in the open letter, I think he could be sent to prison for the hacking with bad intent.
I think a decent lawyer could fight that, as the code was supposed to be "golden", this is a feature
now, despite the bug being openly disclosed, I still think the SEC might have something to say about that massive short. They will poke around at least.