Structured like that, it honestly sounds like the only thing that "went wrong" is that an unplanned third party end ran their "technically this is completely by the book" rug pull.
The only bit of information I’ve found in support of their credibility is their willful “self-doxxing” in the announcement they made post-attack on their discord. Mind you, the names they gave for themselves could be completely false, they did not follow it up with any more identity proofing, but if the projects’ founders identities are what they say they are (and there is no cofounder/person involved with the project), logic dictates that save for some 4D-chess level scheme, no attacker would identify themselves immediately after the attack.