I would have, but then the term "cross site injection attack", is again Javascript terminology (he probably meant XSS or CRSF, but the term "cross site" doesn't really apply to Java applets).
However, the guy just got hacked out of about $8k worth of BC, which sucks, and for that I do give him a pass :)
I'm assuming you mean "XSS or CSRF". In both cases the first 2 letters denote "Cross Site".
But, I'm picking hairs, and as you say, the guy just lost a shed-load of coin, so mostly sympathy (with a bit of urge to educate) from this end.
EDIT: Sorry, your comment was slightly ambiguous, I apologize for picking on a typo, I originally thought you were saying that XSS and CSRF had nothing to do with "Cross Site" which, upon reading again, I noticed was not the case. (Also, I made the same typo (CRSF) while typing this and only caught it just before hitting the submit button!)
Well abovethread it turns out he must have clicked through all sorts of Java certificate warning boxes, or run an old vulnerable Java version -- now I feel about as sorry for him as someone whose laptop got stolen as they left it unattended on the table in a coffeeshop for a toilet break. You can wait for something to happen like that.
However, the guy just got hacked out of about $8k worth of BC, which sucks, and for that I do give him a pass :)