wait a second - how the hell would this vulnerability allow withdrawing unlimited amount of bitcoins?
if you withdraw coins and dupe the TX with a wrong hash you are not getting double coins in any way and why would a marketplace then refund the customer? it doesn't make any sense.
if you deposit coins and dupe the TX with a wrong hash then you may see "unconfirmed" coins under your balance that will never get any confirmations.
explain me if I misunderstand anything here
The guy could be a fraud. Or the site was legitimately hacked. Or .. there is another protocol weakness resulting in missing coins on exchanges/retailers that people are misattributing to tx malleability.