The thief may be a BCI user, but it would be very stupid of him to use an address that BCI can associate to his person.  He could easily have generated an address with any other software, and issued the transactions without using BCI.

Unless he did first 5.9 BTC transfer within BCI, without thinking.

There are other possibilities, I wonder:

1. The thief may have been scanning the blockchain, like @johoe, looking for weaknesses from the previous (non-BCI) bugs;

2. The BCI programmer introduced the bug on purpose, making it seem an accidental oversight; and then started scanning the queues and/or blockchains for compromised txs.

3. The thief stole the programmer's password at Github and uploaded the bug himself.  (Perhaps he works at github.)

4. The thief hacked into the programmer's computer and introduced the bug on his working copy, which the programmer eventually committed.

Has BCI excluded the last 2-3 possibilities above?