Seems to me that MtGox still controls the balance, because the 432k BTC transferred on 6-19 were already consolidated on 6-12. Either MtGox lost control on 6-12 (no evidence of that) or they still control it now.
It also doesn't seem that an attacker was able to withdraw any significant sum during the attack. Looking at the bitcoinmonitor
screenshot, the second-largest transaction was for ~10k BTC. And inspecting the transaction for 10,020 BTC in
block 131886, we can see that those 10k BTC eventually make it into one of the 50k BTC addresses into which the 432k is split up.
More evidence that MtGox still controls the BTC.
What does remain unexplained is how ~500k BTC were sold on the books. That all ~500k sold were owned by one account whose password was cracked doesn't seem likely, primarily because ~500k appears to be more than the total sum of deposits MtGox controls (~432k + 10k and a bit more).
The numbers don't back the explanation that it was a sell-off of one compromised account. Possibly it was a sell-off of every account using their hashed passwords. There was probably some bug/exploit in the order book system in addition to the leaked account table.
