I suggest you blacklist this wallet address from receiving coins from BPM and alert those accounts who were switched to it.
It takes one second to create another one..this is no sollution. I just don't understand why the attacker does not use several(let say 50) different adresses to be less traceable.