They paid for the ad, theymos can either show the ad or refund them, he can't just take the money. Sure they attempted to scam, but that doesn't mean you can scam them back, if they had actually defrauded somebody then maybe there would be a case where theymos would refund that person, but they haven't actually managed to scam yet, with that account anyways.
Attempted theft is also a crime.
I think trying to inject whatever code to an advertisement is enough reason to assume they wanted to scam.
No need to display the ad or refund imo.
Displaying the ad also has a high risk that they might set up new malicious code on that site, they have proven that they want to do that.
You may argue there was no malicious code there, but what other reason exists to try this code injection?