What we think it is:
Our best guess at the current time is a MITM attack somewhere on the internet. Because it is in a specific location, they would only be rerouting certain segments of traffic, not everyone, which lines up with what we're seeing. This could either be done at the DNS level for those specific users, or at the BGP level (less likely). What would happen in this case is that mining traffic from users affected would go _through_ this other user's IP before being relayed to WP. He would let you associate and start mining, and at some point, inject a single packet into the stream that says "redirect your miner to this other address". At which point your miner would listen and redirect to his address and start mining there.
As for how to combat it, it really depends on how they're becoming the middlepoint, which we don't know yet. Both Multipool and us have endpoints in the same datacenters, so it is possible that its something at the host, but seems a bit unlikely due to it only affecting some users, and that subset of users isn't a changing group for the most part (its not a random 1%, its a selected group).
I cannot help but wonder that if it is a true man in the middle attack, then why would he even bother allowing miners to initiate and authorize a stratum connection to the intended pool server in the first place, instead of just rewriting the destination headers in the incoming tcp packets from the clients to include the desired server ip address and tcp port within the incoming packets themselves, as he would be also able to rewrite source headers within the return traffic? By doing that, the miners would still see wafflepool listed on their cgminer display, as opposed to the rogue server ip address. This could suggest that he is only able to inspect the network traffic but not rewrite it, so therefore tcp packets with forged source headers containing client.redirect command messages are being sent to miners because he is not relaying traffic but only inspecting it.
Though in support of a true man in the middle attack, for a day or two you had been searching for a reason why miners were not receiving work from the servers quickly enough, such that some miners (specifically noticed by cudaminers) were going idle. At that point he might have still been setting up shop but not yet begun his attack. It is unfortunate that the stratum server code on the servers had only been running briefly, and that you cannot be absolutely certain that some as yet unknown problem does not still reside within it. (a performance related problem, not a vulnerability)