Yeah, "We noticed the hot wallets dwindling but assuming it was members moving their funds off site during the DDOS, we loaded all the cold balances onto the site"
Possiblely, but in light of the protracted duration of the DDoS, it makes sense that people would be moving their holdings off-exchange when they could connect. If the withdrawal addresses were all different -- and from what Excoin posted on their site it looks like the party responsible used multiple BTC and NBT addresses to move the funds -- multiples of small to moderate amounts of coins being requested doesn't sound out of the question.
In retrospect, it was a horrible decision not to research these transactions in depth as they happened, but the Excoin team was fighting a "bigger" fire at the time with the DDoS.
sounds extremely suspicious.