Which vanity engine are you using, the Java version?  Reason that I ask is that some are suspecting the vanity engine in thefts.

If the java client, have you also reviewed this code?  The code I looked at only has the following imports:

import java.math.BigInteger;
import java.nio.charset.Charset;
import java.security.MessageDigest;  <- SHA256 conversion routine
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Random;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicLong;
import java.util.regex.Pattern;