I don't know if I would call the attackers thieves. By the looks of things they aren't making off with bitcoins, they are just invalidating transactions that others are making, and thus making the db's of exchanges inconsistent with the actual bitcoins they possess. They are more like griefers.

The piece of the puzzle I don't understand is how this is a problem for exchanges. Since the very start of bitcoin it was considered that 6 confirmations were required before a transaction was considered valid for any serious financial situation. This probably could drop down to 1 or two conformations since the network is pretty robust now, but considering 0 confirmations as being worth anything? Heck, you wouldn't even do that for an e-commerce site.

My basic conceptual model of how you build any online service using bitcoins as a unit of account is you have a bitcoin address for a user, and you get bitcoins received at that address with 1 confirmation and use that to base the user's balance off of. In your db you then record transfers to and from that user and add and subtract accordingly through a transaction log. So the balance is the sum of bitcoins received + credits - debits.

Not really rocket science, and I feel something must be missing in my view as this very basic system seems the most obvious to me, and it seems like it would be immune to the problems that are plaguing all of the exchanges. Is it just that they were dancing on the edge of the razor of zero-confirm transactions because they felt that turn around was that important?

Please, tell me where I am wrong. Something is not adding up.