Let's get this discussion back on track. Skimmed last few pages but it seems to have died out a bit.
This is probably some kind of MITM attack as the user was connected to a fake pool after disconnection. The question is where this MITM attack was performed.
I've noted a common element between CleverMining, Wafflepool and Multipool.us, all of which have users claiming to be affected.
All 3 use us-west stratum servers hosted by Digital Ocean.
I haven't checked all the stratum servers in different regions, but this certainly is a common enough element to add to the consideration.
It might be possible that misconfiguration on DO's side has opened up some attack vectors on these stratum servers.