This looks pretty nifty. I noticed on that BTCServ hack that the small part gets spent twice to merge into a 40 BTC address. It would be useful to know what addresses payments get combined with as that may give clues about wallet (like a "back-link" on an address). I have no idea how it could be fit in a diagram because it would get "hairy" fast.
My hypothesis is that the coins change hands at the 40 BTC merge as the ip addresses switch from Germany to U.S. Maybe you could hover over a node to show any new inputs. Also the "Purity" of the coins (i.e. how much they have been mixed with the other transactions) could be represented by the thickness of the line.
So, that means the hacker either is close topologically by default or has added manually BTCServ IP as a peer? If the hacker is manually relaying thru BTCServ that's a bit like rubbing salt in a wound! Or another interpretation is that it's still controlled by BTCServ, though obviously not provably.
Or maybe the attacker sent some change back to BTCServe for some reason. I guess no matter how good future tools like this get it will still be almost impossible to prove anything.