Regardless, for Shakepay to be creating a transaction that uses the exact same UTXO that was created when they received the bitcoins on behalf of the OP, it means that they need to be keeping ALL bitcoins in a Hot Wallet.
Why does it? What's stopping them from creating a bunch of offline wallets, and importing the master public keys of these wallets to their exchange servers to generate addresses for users to deposit their bitcoin to? It would require someone to manually approve and transfer all unsigned/signed transactions back and forth, but it's not impossible. I agree it is unlikely, but not impossible. However, as I explained above, Shakepay don't do this and batch their withdrawal transactions normally.