I think the "hacker" is going to have a massive fraud lawsuit on their hands against the DAO. Combine that with bad faith arguments for punitive damages and they can probably wipe out the entire organization.
I think a real world judge would not need to take into account how smart contracts work at all (a contract without a hand-written signature???) and blame both sides:
@Organization: How could you promise people to handle their money without any audits?
@Hacker: You don't get to keep the money you managed to siphon out the hands of these irresponsible people.
"hacker": My transaction was valid and executed per the organization contract. Others then conspired to invalidate the transaction. Now, my transaction is dead.
