Hard to say, maybe in your case, at some point attackers managed to overwrite deposit address and make it fixed somewhere in website's html code.
They had customized scripts, so every case can be different.
And since fbc is not quick to act, attackers had time to adapt and improve their scripts or even improve the whole attack scenario.

I sent email about 2 weeks ago, but still waiting for response.