I deleted the spam PMs and banned all of the users and IPs sending them.
The source on the phishing website contains the following:
<title>Login</title><!--368ef74f52681c46ec130f3d13d9f239ea78ffb6c1718a5e8bda35ea3af8626a1c46ec130f3d13d9f239ea78ffb6c171138a3f3d4e7f8f4069051c46ec130f3d13d9f239ea78ffb6c171faa6-->
Is that last piece a session ID?
Maybe you could take a look at the logs and find out what IP was using that session ID.
It also looks like the phishing site is including style sheets from bitcointalk.org. You could set up the server to send a modified stylesheet that has a warning message added when it is requested by the phishing domain in order to warn people it is a phishing website.