This is very sad to hear. More so for the owners of raided coins.
If there was a leak of private keys somewhere in the production process the manufacturer should know the name of the people involved.
So if an investigation is ongoing no much info can be publicly released. Over time hope some names surface, we know who did it in Coinographic's case.
Richard was apparently the only one with access to private keys, so he stole them himself, or he is flat out lying.
One other possibility is that he
thought he was the only one to ever see the private keys but someone else got a copy of (some of) them.
They did have a lot of people on their failed "risk management" committee/team.
But how is that possible? He claimed he created the private keys himself, then engraving coins and destroyed the private keys. It's a pretty simple process.
Simple process with many steps.
Created - how, on which device, who else had access to this device before or after the key was generated? Engraving - where, was the room checked for recording devices, did he ever leave that room for bio needs, who else could have been in the building at this time? Packaging the coin - same questions. There is a lot of trust you need to put in the process of private key creation to be sure it did not get recorded somewhere. As they got sweeped only now, when BTC price reached newsworthy levels, probably the thief/person who had the partial list of keys only remembered about that now. Would be pretty hard to find a trace of what could have happened 3 years ago... Only if he's dumb enough to cash out.
PS on a related note, if anybody selling compromised joannas / adam smiths after you get your refund, please PM.