The money is literally waiting in a Bitcoin address.
it's certainly possible the private key has been lost.
That's the real tricky part indeed. You'll either have to find the exploit in the source, or find many more victims who claim the same thing.
there doesn't have to be any exploits in the source. if people are dumb enough to create their private keys online using some website then that website could be using legitimate software but just storing a copy for themself. that's all it would take. could never be proven. no exploit in the source. so the only way something could be proven is circumstantially in that alot of people claim the same thing and a judge buys their argument.