I understand the risk is on the investors too and the situation would have been different if the cheater managed to withdraw all the money.
But the cheater didn't get any of it, so if you do rewind the cheater's bets, it seems very obvious that you should refund to the affected investors. To suggest otherwise seems ridiculous to me. And to give free money to people who invested after the whole situation seems even more crazy.
Let me put it differently: you saw the errant bets and you divested and withdrew your money, in a panic and at a loss.
That seems like a normal thing to do. If I see a site is hacked, obviously my first reaction is to withdraw my own money. You must be pretty stupid to not immediately make sure your left-over money is safe.
Because there had been users created and withdrawals / deposits processed in the meantime, we couldn't simply roll the database back.
You shouldn't roll the whole database back, you should look which investors got affected by the cheater and how much they lost. In theory just the rolls and invest/divest information, should be sufficient. I understand it's technically tricky and needs some custom script to calculate, but that seems like the only fair way.
EG: you have the invested amounts of the current investors. Loop all events (= all bets + divests/invests) from latest to start of cheater. First event is probably some real bet after the cheater, recalculate what the invested amounts where before that bet. Second event same. If event is a invest/divest, adjust invested amounts too. Then when you reach the last bet of cheater, you should have all the info of which investors were invested at that time including the amount. Separately save how much they lost (or gained) in that cheater's bet. Continue loop and if the event is a cheater's bet, do the same. All till you are back to the first cheater's bet. IMO after this, you should have a list of investors with specific amounts of how much they lost? Reimburse those amounts to the investors.
What if the attacker had gotten away with his withdrawals, and we had to socialise the loss? Would you deposit your money back in to participate in that?
BillyBurns already made a loss from the cheater? So if you decided the losses were on the investors,
nothing would have changed? He wouldn't need to deposit - he is already in loss.
edit: TBH I am not sure how many investors actually divested like BillyBurns. If he is the only one, things are probably more easy :x But just the mindset of refunding the investors who actually lost money seems important to me.