Yes. He had used the exploit to get somewhere in the order of over 30 BTC in profit. He did withdraw his original deposit, plus 5 BTC as a bounty for finding the exploit. Had he wanted, he would have been allowed to withdraw up to 25 BTC which was the contents of the hot wallet. But being a decent guy he didn't even make an attempt to do so, something that I am very grateful for.