I didn't study the specific contract in detail, so I could be way off base here, but...

It seems like the money could have been safely claimed using a tiny amount of crypto. Something like creating this contract:

    contract Example {
      function Example() public {
        if (keccak256(msg.sender) == HARD_CODED) {
          do_transfer();
        } else {
          do_something_terrible();
        }
    }

Would be bots be able to automatically determine that they need to swap out HARD_CODED with the hash of their own address?