Coinbase is a Centralized exchange so there's no for the ToA guy can freely move the money that he get out of Coinbase without being caught or followed since Coinbase applies mandatory KYC to all there customer and I'm pretty sure that they will find this exploit sooner or later once they do an audit so the best choice for the guy who found the bug to get a clean money as a reward is to report it and accepts the reward money in clean way.
If KYC is a mandatory requirement, surely all customers have been verified and do this exploit not necessarily from his own account. I think there are actually many ways, he could open an offer to sell his coinbase balance heavily discounted on other sites including the darkweb or convince a verified customer to withdraw his BTC gradually.
A little greediness on his side will gonna cost him a lot.
You are right in this, but often people forget when faced with the real situation.
PS: The link to the article showing an error 404. It seems it was removed already.
Fixed, thanks