That's completely misleading. If anybody failed it was the hacker who stopped the mixing process after 1 coinjoin, then merged enough outputs and reused addresses to make it easy to identify them. There wasn't any toxic change in the coinjoin, only coins with lower anonymity scores which would have undergone further mixing had they not interrupted it or used custom settings that are weaker than any of the default mixing options.
Yep, even without using the default minimum settings, the tracker can only claim "it looks like" the funds ended up somewhere. There is no deterministic proof since there are other possible owners of the funds, there is only a guess:
I have no doubt law enforcement will be happy to freeze his coins based anyways, but this suspicion is not based on conclusive proof since the spent UTXO accused of belonging to the attacker was created alongside 2 identical UTXOs with the same value in the coinjoin, making it merely a guess. I would make the same guess based on script analysis, timing analysis of peers, amount analysis, and destinations of premix and postmix funds, but this sort of "shooting in the dark" style approach of layering multiple non deterministic heuristics will eventually create collateral damage.