What I read is they hacked wallets that had the 'Milk Sad' vulnerability (predictable private key), but I'm skeptical as that's an old CVE, IMHO it's more likely an infrastructure or communications hack or a wrench attack - the suspect is now 'missing'.
Of course it is, OTOH the nature of this 'enterprise' has been visible for quite a while now, and I'm sure, investigated quite intensively (by more than DoJ), and 'missing' only means that the general public doesn't know where he is.