I cannot help but wonder that if it is a true man in the middle attack, then why would he even bother allowing miners to initiate and authorize a stratum connection to the intended pool server in the first place, instead of just rewriting the destination headers in the incoming tcp packets from the clients to include the desired server ip address and tcp port within the incoming packets themselves, as he would be also able to rewrite source headers withing the return traffic?  By doing that, the miners would still see wafflepool listed on their cgminer display, as opposed to the rogue server ip address.  This could suggest that he is only able to inspect the traffic but not rewrite it, so therefore tcp packets with forged source headers are being sent to miners because he is not relaying traffic but only inspecting it.

Though in support of a true man in the middle attack, for a day or two you had been searching for a reason why miners were not receiving work from the servers quickly enough, such that some miners (specifically cudaminers) we going idle.  At that point he might have still been setting up shop but not yet begun his attack.