That sounds like the only reasonable explanation, but then I'd argue the cold storage wasn't cold at all.

Cold storage in my eyes means an offline store of the private key for all the 'cold stored' coins, which require manually importing to a machine and then extracting from into the hot wallet.

Unless of course that's exactly what they were doing, but were topping up the hot wallet without realising there was a leak.