This is MrData from CoinPayments Support.

650 BTC, while a nice chunk of BTC, is not enough to destroy our reputation over. I told the account owner in their support ticket that they need to do a full security audit of the server, preserve all logs, etc., and report it to the appropriate authorities. We will be happy to provide the API and HTTP logs from our end showing the API requests that withdrew the funds to them as well. If the account owner gives us their permission in the support ticket we can post it publicly as well.

Time matters in these situations and I would highly recommend getting the evidence together and reporting it to the FBI cyber crimes division or your local authority ASAP versus blaming us for it. You have also made the addresses public so maybe someone in the community can help track the funds?