If a key was indeed stolen, they must have stole the keys to the exchange's wallet, not a user's wallet. I heard in the press conference they don't have a multi-sig wallet so all it took was one key and not multiple keys.
It is not possible to move funds unless you have the private key, or if you have broken the cryptographic scheme the key uses.
Since the funds have moved (visible on the overall distributed blockchain system, where everything is public), either of the two scenarios must have happened. It really is that simple, there are no other "moving parts" or "possible human error" in other parts of the system here.
So you have a case like this: the funds were moved with the private key. 24 hours after the owner comes and says: ‘I didn’t do that! Someone else must have copied my key and made that transaction!’
How does the exchange handle that? What’s the dispute mechanism?
I'm presuming that in this case (given the amount) that this was not a typical user. But is there some framework of dispute for lesser amounts?