I suggest you blacklist this wallet address from receiving coins from BPM and alert those accounts who were switched to it.
It takes one second to create another one..this is no sollution. I just don't understand why the attacker does not use several(let say 50) different adresses to be less traceable.
I don't think this would stop him but I'm assuming there are a lot of account that have pending wallet transfers. I think it'd be smart to go ahead and revert any pending wallet transfer to that address in the event someone unwittingly confirms it. I think it'd be wise to roll out mandatory password changes, too, or at least send out an advisory email. I didn't change mine because I switched to a different pool and didn't think about it (plus I had only a very small fractional balance left at BPM). Last time I looked at the address on block explorer it didn't look like he'd snagged any big sums of BTC so it could be the case that the only account with weak passwords were idle accounts but better safe than sorry.