No database backups. Sorry for avoiding the question.
OMG.
The first rule of computer using is that you *always* make backups. You backup early and you backup often, on-site and off-site.
I learned that the hard way in the early years of my 30-year computer programming career. If you don't do this then eventually you can get a *really big problem* like Bitcoinica has now.
It's still extremely bizarre that Rackspace had no way to log the hacker out and that he was still able to delete the emergency backup in spite of the servers supposedly being suspended. That's a huge security flaw for a hosting service to have and you do have to wonder whether the hacker was aware of that "hidden feature". Whatever mistakes were made by Bitcoinica were certainly compounded by the inability of Rackspace to totally lock down the compromised servers.
Zhou, I notice that you are focusing primarily on what is technically possible. For a whole lot of reasons, the claims process must also have integrity from an accounting point of view. The principals have little choice but to assume that the manner in which they process user claims may be the subject of legal action in the future and to ensure that the process complies with recognised business and accounting standards (in fact, the process should really be independently audited). While your proposals have merit, they need to be considered in a broader business context and it would be foolish of the principals to implement them without first obtaining professional advice.