Or was this error in the Gox payment system exclusively exploited by criminals?
This.
At the time there was no mass mutation of transactions. The attackers were mutating their own transactions something like this:
1 ) Attacker request withdraw.
2 ) MtGox generates tx id A (likely defective in a host of ways making the rest of the attack easier).
3 ) Attacker grabs a copy of the "busted tx" and cleans it up (mutates it). Call this tx id "B".
4 ) Attacker pushes mutated version (tx id "B") to a miner.
5 ) Tx id "B" is included in a block. Attacker has been paid.
6 ) Attacker contact MtGox stating they had not received withdraw (this is made more believable because MtGox broken wallet had created tens of thousands of legit broken transactions).
7 ) MtGox checks blockchain and tx id "A" does not exist.
8 ) MtGox pays the attacker again.
So distilled down the only way you got double paid was if you did all of the following:
a) you noticed MtGox was generating broken transactions
b) you used their API to pull a copy of the tx (because it was being dropped by relay nodes)
c) you modified the transaction to clean it up
d) you received payment and then contacted MtGox claiming you didn't.
It didn't happen by accident. Even if someone legitimately cleaned up (mutated) their transaction because MtGox was generating broken garbage, they still wouldn't get paid again unless they then lied to MtGox and told them the transaction never went through so MtGox would cut another payment.
There is no way of knowing how many times attackers did this, or even how many people working together or independently tricked MtGox into overpaying them. The withdraw issues (legitimate complaints about unconfirmed payments due to MtGox broken wallet) have been going on a month. Did the attackers realize on day 1 or only a few days ago? Only MtGox knows.
