Did these 2700 servers play a role in any DDoS attacks as well?
It would be quite a lucrative stance for the employee to sell access to these servers to one or more groups who could potentially make more use of them.
2700 servers all on the same network makes for far less of a DDoS attack then 2700 similar servers on different networks - and it's far easier to detect and block too.
They would be more valuable for bitcoin mining most likely.
2700 servers probably wouldn't be worth much for that. It would be noticed fairly quickly, given that only CPU mining would be available, and how monitored servers usually are.
If you can hide the fact that you've rooted a box, you should be able to hide the fact that you're doing bitcoin mining. Worst case, run the mining in the kernel idle thread...
They would be more valuable for bitcoin mining most likely.