There are two obvious issues with this:

1. Users can report higher balances than they actually have.
2. Passwords should not be needed; he already has access to the database, and if he really needed to be able to log in as the user, he could just temporarily change the password hash stored for the user.

You can't calculate the rate, but you can test and measure by running a miner on that GPU. Other people have done this before and put their results on the mining hardware comparison page linked above.

Looks like the transaction didn't include a fee. I guess that's the reason why it took so long to get confirmed.

Using Bitcoin to get money out is harder than it looks. You would have to exchange money for Bitcoins, an for that to happen, there must be people in Cyprus that are willing to sell Bitcoins that they already own (either already sold out, or very expensive), or use foreign exchanges like MtGox (restricted by foreign spending limits).

I think this isn't done by a thief, but just the way the Instawallet server works internally.

1DsSfUgo is the receiving address for your Instawallet account, which Instawallet uses to detect incoming Bitcoins. They are added to your account balance, but don't have to stay at the receiving address.

When you take Bitcoins out of your account, Instawallet can use any address as a source for the transaction to you. In this case, 1K9ZPPkx.

Think of it as a piggy bank. When you take coins out, you just grab the number of coins you need. You usually don't care which individual coins you take, you only care about the amount you're taking out.

I love Bitcoin because it's fascinating to see how it evolves.

1NazXRX8S5GtyjBV1o1ZEXBmRHDwmSKsFF