Can anyone explain how this transaction malleability bug can be exploited to steal coins from a Bitcoin address? I thought it can only happen if you are an exchange, like Gox or Stamp, and people are making withdrawals.
I can't explain it to you, because it cannot happen. This is a blatant lie, the OP stole everyone's coins and, as the other poster said, anyone stupid enough to leave coins on a hosted site dedicated to selling illegal products deserves to have their bitcoins stolen.