GPG key uploaded to them before the user got compromised, GPG key attached to the user's email publicly before the user was compromised, access to Bitcoin addresses where deposited funds originated, electronically signed statements "I own account X" that can hold up in court as evidence if a fraudster withdraws money, locking down IP ranges on user request, offering VPN access (which can be often better secured than https websites, e.g. with certificates) to bitfinex, knowledge of previous interactions...