That is what I thought, but in this case, the ether that are presumed to have been stolen are those that have shown up at addresses with weak keys and then moved to another address (one without a guessable key), often as soon as they show up at the first address. The authors tested this hypothesis by moving a dollar's worth of ether to one of these addresses, and it was immediately stolen from them. I do not see how one could conclude that these presumably-stolen coins were stolen through the Geth exploit.