The research looks quite solid. They looked for the right things, and if their data is complete I agree with the conclusions.

There are 3 possible weaknesses to this study in relation to Mt. Gox:

1. The data started in January 2013, so it's possible Gox was hit much harder in previous years. Although that would also mean the amount of time they spent oblivious to the problem increases.

2. It's possible there was more information on the network that the researches weren't able to log. For example if an attacker had control of many nodes very close (physically) to Mt. Gox, and were somehow able to send out their modified transactions faster and "better", then it's possible the authentic transactions were killed before being recorded by the researchers.

3. As the researchers admit, we can't see how Gox actually reacted to the modified transactions. Gox resent transactions using different inputs (or addresses, even) so it's very hard to detect a resend. If they were to release their records of all withdrawal requests we could compare them to the blockchain and find any discrepancies, but they haven't done that (and it's possible they don't have complete records anyway).

Anyway, good job on the study!