There might be other ways ownership could be proven too without signing a message. Such as: showing authentic conversations between the owner and whoever they acquired the funds from (could be socially engineered but may be harder if done using accounts that have kyc or are from a prominent figure that can vouch too), signing addresses that paid that one (especially if there's an old input that can be signed along with the address that was hacked or a screenshot of a withdrawal and additional proof - such as a forwarded email and corresponding exchange statements).