[Intermernet]

I'm assuming you mean "XSS or CSRF". In both cases the first 2 letters denote "Cross Site".

But, I'm picking hairs, and as you say, the guy just lost a shed-load of coin, so mostly sympathy (with a bit of urge to educate) from this end.

EDIT: Sorry, your comment was slightly ambiguous, I apologize for picking on a typo, I originally thought you were saying that XSS and CSRF had nothing to do with "Cross Site" which, upon reading again, I noticed was not the case. (Also, I made the same typo (CRSF) while typing this and only caught it just before hitting the submit button!)

[tripzilch]

Well abovethread it turns out he must have clicked through all sorts of Java certificate warning boxes, or run an old vulnerable Java version -- now I feel about as sorry for him as someone whose laptop got stolen as they left it unattended on the table in a coffeeshop for a toilet break. You can wait for something to happen like that.