Well if I was the attacker then this is how I would go :

1) Buy some btc with cash from the exchange
2) Try to withdraw it using malleable transactions (for this I would need to make some arrangements)
3) Claim I have not received it and try to get them to send it again
4) Repeat steps 1-3 using different ips and accounts using small amounts so as to make the trace hard to detect.

Attack successful. If not get more than the amount of BTC I should get, it will at least bring the exchange/processor to a halt.

Win win win !!

Or am I missing something ? Would like to know if this is possible from the core devs/experts ?

PS : Obviously this would be successful with an exchange/processor who is using txid for his system. Otherwise the above fails.